Our super streamlined take on what the GDPR is about and what you need to be considering. If you’re unsure about the GDPR we’d recommend reading this before speaking to the relevant people in your organisation and then visiting the Information Commissioner’s Office (ICO) and going through their overview documentation.
What does the GDPR stand for?
The GDPR stands for the General Data Protection Regulation (Regulation (EU) 2016/679).
Where does the regulation come from?
The regulation has been designed by the European Parliament, the Council of the European Union and the European Commission.
What is the GDPR designed to do?
The GDPR is the evolution of the Data Protection Act. View it as the data protection law designed for the digital age. When the Data Protection Act became law in 1998 Google and (the) Facebook didn’t exist, Amazon was only four years old. No-one had a smartphone and Big Data didn’t exist. The GDPR is designed to address this gap and takes into account changing consumer, technology and business behaviour.
The GDPR will provide a more uniform data protection regulatory environment for citizens across all European Union (EU) countries. It is intended to strengthen and unify data protection for all individuals within the EU and addresses the export of personal data outside the EU. The regulation is designed to simplify the regulatory environment for international business by unifying data protection law within the EU and replacing the Data Protection Directive (officially Directive 95/46/EC) of 1995.
So the GDPR will have a direct effect on all EU citizens, but some additional legislation is required, currently in form of the Data Protection Bill 2017, to make it work properly in the UK.
The GDPR acknowledges the digital age and will empower individuals by primarily giving them back control of their personal data
What does it mean for individuals?
The GDPR acknowledges the digital age and will empower individuals by primarily giving them back control of their personal data, giving them new rights over who uses their personal data and transparency in how it is used. Greater control and greater accountability of data handlers will mark a step-change in the management and commercialisation of personal data.
Consumers will also have the ability to withdraw consent in a process that is as easy to give and also have other rights such as the right to access, right to object and the right to restrict processing.
When does the GDPR take effect?
The regulation was adopted on 27 April 2016 and becomes enforceable from 25 May 2018. Unlike a directive, it does not require national governments to pass any enabling legislation and is therefore directly binding and applicable.
If Brexit happens will we need to be GDPR compliant?
The short and correct answer is YES.
The Government has confirmed that the UK is implementing the GDPR. Even after Brexit, when the GDPR doesn’t apply to us directly, the UK will have incorporated it into UK law instead. UK citizens have the same need for updated data protection law as the rest of Europe – and having the same data protection law will make it easier for UK businesses to interact with the European Digital Single Market.
The GDPR is designed to create consistency around the management, use and protection of consumer data across the continent. These standards will apply to all parties working with data within the UK and the new European Union. Organisations should not delude themselves that Brexit will take away the need for them to be GDPR compliant.
What are the main things an organisation will need to do to be GDPR compliant?
First among them is a thorough review of what data you handle and why. This is in order to gain a complete understanding of what products, solutions and services are reliant on data and if they will meet the standards required. Key to this is knowing how data is acquired, used, stored, encrypted (both at rest and in transit) and, eventually, disposed of in a business. And whether or not anything needs to change before the GDPR is in place.
At the heart of the GDPR are seven data protection principles. These say that you must:
- use personal data fairly, lawfully and in a transparent way;
- specify the purposes for which you use the data, and not reuse it for any other incompatible purposes;
- make sure that the data is adequate, relevant and no more than what’s necessary;
- take steps to ensure that the data is accurate and, where appropriate, kept up to date;
- keep the data for no longer than you need it;
- keep the data secure against loss, damage or unauthorised use;
- be able to demonstrate how you comply with the other principles.
As an organisation you will need to fulfil these needs.
What are the expectations on organisations from the ICO on 25 May 2018?
Organisations will need to have a compliant approach and be able to demonstrate the ways they comply.
In a nutshell some of these requirements are:
- must maintain adequate data records.
- must declare data breaches to the ICO without undue delay (within 72 hours where feasible).
- must conduct Data Protection Impact Assessments on any processing which presents high risk.
Failure to comply with the GDPR can include fines for failure (4% of worldwide turnover or 20 million Euros/£17 million) and new criminal offenses for intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data and altering records with intent to prevent disclosure following a Subject Access Request.
What will happen if my organisation cannot meet the regulations on 25 May 2018?
If your team are unsure if your controls and processes will not adhere to the GDPR regulations on the 25 May 2018 then it’s time to create some bandwith. You’ll want to review the regulations, how they impact you and then create a plan of change on how to get there.
The ICO will fine businesses for failure to comply. It might be that 25 May 2018 is not a hard deadline in terms of enforcement and that the ICO will demonstrate some flexibility and understanding around the pressure the GDPR will put organisations under. But by its very nature being in this position will be a risk. In addition if you’re not GDPR compliant will any other organisations want to work with you and expose themselves to the same level of risk?
Another consideration is that if you need to retrofit the GDPR into your organisation processes post-25 May 2018 you may find yourself considerably behind your competitors and at a serious competitive disadvantage.
I work in marketing, will I have to change my sign-up forms?
Yes. You’ll need to rework the wording on your sign-up form and its UX to optimise how you capture the data you need. Consent models have changed over the years and now you’ll need an affirmative, verifiable consent model that requires that:
- Consent must be obtained on an opt-in basis, not opt-out.
- Information must be freely-given. This means that it probably isn’t possible to require people to give consent in order to obtain a benefit or a service e.g. you can’t require people to agree to receive marketing emails if they want to enter a prize draw.
In addition any consents gathered before the GDPR will need to meet these requirements if you want to rely on them post-GDPR. So lots of organisations might need to resolicit consent in advance of the GDPR. But when they do they need to be careful – the ICO says that emails sent to ask people to give consent to marketing emails are themselves marketing emails, so you need consent to send those requests. The ICO has fined a few organisations for doing this recently. Again this is complicated and you’ll need your legal and compliance teams to help you navigate this challenge.