The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the EU. It also addresses the export of personal data outside the EU. It was introduced to unify all EU member states’ approaches to data regulation, with its primary aim being to give control to individuals over their personal data and how it is used, protecting them from organisations using their data irresponsibly. It also brings a new set of digital rights for EU citizens.
It was adopted on 14 April 2016, and becomes enforceable on 25 May 2018 and replaces the 1998 Data Protection Act. Because it is a regulation (not a directive), it does not require national Governments to pass any enabling legislation and is directly binding and applicable. Even though the UK is set to leave the EU, it will still apply to all businesses handling data of EU residents.
Compliance with the GDPR is vital; any business found not complying with the rules could be charged fines of up to €20m (or 4% of the company’s global annual turnover).
Why was the GDPR introduced?
The GDPR was created to regulate how businesses use data, ensuring it’s the same throughout the entire EU. It will apply to businesses of all sizes. Recent stories such as the Cambridge Analytica scandal have demonstrated how large organisations such Facebook are not strictly complying to a single set of rules.
The Data Protection Act 1998 (the UK’s interpretation of the EU’s Data Protection Directive 1995) was drafted at a time when contemporary uses of data enabled by the internet and the cloud, where people exchange their data for “free” use of services by the likes of Google, Twitter and Facebook were not envisaged.
Who does GDPR apply to?
‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing. Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU residents.
It’s the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
Once the legislation comes into effect, controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted
‘Lawfully’ has a range of alternative meanings, not all of which need apply. Firstly, it could be lawful if the subject has consented to their data being processed. Alternatively, lawful can mean to comply with a contract or legal obligation; to protect an interest that is “essential for the life of” the subject; if processing the data is in the public interest; or if doing so is in the controller’s legitimate interest – such as preventing fraud.
At least one of these justifications must apply in order to process data.
How do I get consent under the GDPR?
Consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs. Companies will no longer be able to utlilse long illegible terms and conditions and importantly, it must be as easy to withdraw consent as it is to give it.
Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want. If your current model for obtaining consent doesn’t meet these new rules, you’ll have to bring it up to scratch or stop collecting data under that model when the GDPR applies in 2018.
What counts as personal data under the GDPR?
The EU has substantially expanded the definition of personal data under the GDPR. Online identifiers such as IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, posts on social media, photos and email addresses are also considered personally identifiable information. In simple terms, any information that could be used to directly or indirectly identify the person would count as personal data. It is important to bear in mind that a non-limited company (sole traders and some partnerships) would count as an individual under the GDPR, and would be covered in the same way.
When can people access the data we store on them?
Under the aim of giving people more control over their information, GDPR ensures people can ask to access their data at “reasonable intervals”, with controllers having a month to comply with these requests. Both controllers and processors must make clear how they collect people’s information, what purposes they use it for, and the ways in which they process the data. The legislation also says that firms must use plain language to convey these things clearly and coherently to people: it’s time to wave goodbye to those confusing, dense terms and conditions.
People have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it. They can also ask for that data, if incorrect or incomplete, to be rectified whenever they want.
What’s the ‘right to be forgotten’?
GDPR makes it clear that people can have their data deleted at any time if it’s not relevant anymore – i.e. the company storing it no longer needs it for the purpose they collected it for. If the data was collected under the consent model, individuals can withdraw this consent whenever they like. They might do so because they object to how an organisation is processing their information, or simply don’t want it collected anymore.
The controller is responsible for telling other organisations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.
What if they want to move their data elsewhere?
Then you have to let them – and swiftly: the legislation means citizens can expect you to honour such a request within four weeks. Controllers must ensure people’s data is in an open, common format like CSV, meaning that when it moves to another provider it can still be read.
Full details on the GDPR and your compliance with it can be found here: