Although GDPR has been in place for a number of months now, some organisations are still confused as to what effect it has on their data handling. In order to clarify the situation, we've created this handy guide that helps to explain the new regulations and their consequences for businesses.
What is GDPR?
GDPR stands for General Data Protection Regulation. Essentially, GDPR is a framework for the way in which data is collected, processed, stored, used, and deleted by organisations. It was designed to give EU citizens greater control over the use of their personal data by making those processes by which data is manipulated more transparent and accountable.
The GDPR aims to standardise data protection legislation across all EU member states. In the UK, this means that it expands on and replaces the 1998 Data Protection Act. The UK Parliament passed a new Data Protection Act 2018 to ensure that its own legislation is in keeping with the rules set out in the GDPR.
The GDPR came into effect on the 25th May 2018 and is designed to give individuals a greater say over the way companies collect, use, and store their personal data. In the age of big data, personal privacy has become an increasingly important issue.
Events such as the Cambridge Analytica and Facebook scandal has raised serious concerns as to how much power and influence data-hungry multi-nationals are gaining and how little power individual citizens have over how their data was used.
After four years of debate, discussion, and refinement, the GDPR was passed in April 2016. A two-year implementation period was allowed, giving organisations considerable opportunity to make the requisite changes to their data handling policies and processes.
What does GDPR require organisations to do?
The GDPR obliges organisations to collect, handle, and store data in a way that minimises the chance of it being misused. It does this by clearly defining what ‘personal data’ is, enforcing a ‘clear consent’ policy that means organisations must request active consent from users (rather than just assuming it), and giving individuals greater control over what information is stored.
The new regulations are not meant to make life difficult for businesses. Instead, they’re an effort to ensure that all organisations understand how personal data can be collected and utilised in an ethical manner that doesn’t alienate consumers. In total, the GDPR contains 99 articles that spell out each of the requirements businesses have to meet. Here, we’ll be looking at a few of the most important.
Key definitions within GDPR
One of the widest reaching consequences of GDPR is its attempt to broaden the definitions of a number of key terms used frequently when discussing data protection. For instance;
- Personal data – The GDPR expands the definition of ‘personal data’ to encompass “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.” This can range from an email address to a phone number and includes everything in between.
- Special categories – These are particular types of personal data that are considered more sensitive than other types of personal data. It includes information such as criminal convictions and genetic data.
- Consent – All organisations must request explicit consent from the individual to use and store data. Consent is defined as “any freely given, specific, informed and unambiguous indication… by a statement or by a clear affirmative action, [that] signifies agreement to the processing of personal data.”
Who is affected by GDPR?
All those organisations who are either controllers or processors of personal data are covered by the GDPR. A controller is defined as the person who “determines the purposes for which and the manner in which any personal data are… processed.” On the other hand, a processor is any person “who processes the data on behalf of the controller” (excluding direct employees of the controller).
This means that virtually all organisations who collect personal data in any form are subject to the restrictions set out in the GDPR. A good way of deciding whether your organisation is affected by the GDPR is asking whether it was affected by the original Data Protection Act 1998. If it was, you will have to ensure GDPR compliance.
What is the punishment for a breach of GDPR?
One of the key ways in which the EU and national governments are hoping to ensure compliance with GDPR is via a drastic increase in the severity of punishment for non-compliance. Those organisations found guilty of non-compliance can now be fined a maximum of €20 million or 4% of the organisation’s global turnover, whichever is higher.
This is a considerable punishment for businesses of all sizes and is designed to ensure that the GDPR is taken seriously. During the GDPR consultation process, there were concerns that the new regulations would be a step in the right direction but would lack any serious enforcement mechanism. The size of the fines for non-compliance has ensured that this is not the case.
For businesses of all shapes and sizes, it’s important to understand what you need to do to ensure GDPR compliance. Here, we provide you with a brief checklist to get you started.
- Ensure you’re able to provide individuals with information pertaining to what personal data you’re storing, why you’re storing it, and how long for.
- Establish whether you’re a ‘controller’ or a ‘processor.’ Do you collect and own the data or do you simply process it on behalf of another party?
- Ensure that you have a legal basis for collecting personal data.
- Appoint a Data Protection Officer (DPO) if necessary. A DPO is required if you are a public authority, your business carries out “large scale, regular and systematic monitoring of individuals,” or you process ‘special categories’ of data.
- Utilise a consent system that allows users to actively communicate their consent to data collection. In most cases, this will be an unchecked consent box that users must click before continuing.
- Ensure your data processing and storage process meet the standards set out in the GDPR.
- Put data breach protocols in place, so that employees understand what the process is should a breach occur.
>> Read more: Marketing Definition