What is the GDPR?
The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. It is a legal framework designed to protect the privacy of individuals in the European Union (EU) and give them greater control over how their personal data is collected, processed and used.
The GDPR applies to the processing of personal data anywhere in the world by businesses established within the EU. It also applies globally to any business outside of the EU that processes the personal data of individuals in the course of offering goods/services within the EU or monitoring the behavior of persons in the EU.
The GDPR has been implemented into domestic laws throughout the EU, including the UK Data Protection Act 2018, which will continue in force post-Brexit.
What are the GDPR’s key requirements?
The GDPR is a positive step towards creating greater trust and transparency between organizations and individuals. Some of the areas it covers are:
- The personal data of people within the EU: this includes any information related to an individual or ‘data subject’ which can be used to directly or indirectly identify that person. This includes not only information like a name, email address or photo but also credit card or banking details; medical information; political, religious or other affiliations; criminal records; or a computer’s IP address. There is no distinction under GDPR between personal data gathered in a business to consumer context or business to business, however there are other laws concerning how electronic communications can be used, which do differ when dealing directly with consumers.
- How personal information is processed: personal information can only be collected and processed if there is a legal basis to do so. Consent is one basis that may be used for direct marketing purposes, however, it is not the only lawful basis. Other grounds for lawfully processing personal data per Article 6 of GDPR include for the performance of a contract, compliance with a legal obligation or where there is a ‘legitimate interest’ of the business or of a third party which on balance does not infringe on the privacy rights of the individual.
- The rights of individuals: individuals have the right to request: access to their personal data, correction of errors in their personal data, erasure of their personal data, and/or an export of their personal data. They can also object to the processing of their personal data or ask for processing activities to be restricted.
- Data breaches: there are obligations to report certain types of data breaches to the relevant supervisory authority and affected individuals (for the UK the relevant authority is the Information Commissioner’s Office (ICO)).
- Data and system security: personal data must be protected using appropriate technical and organizational measures to ensure a level of security appropriate to the privacy risks associated with any particular piece of personal data throughout its life cycle.
- Overseas transfers: personal data may only be transferred outside of Europe in limited circumstances including: i) to non-European countries that the European Commission has determined provide an adequate level of data protection;
(ii) where standard data protection clauses that have been approved by the European Commission are used by the parties to the transfer; (iii) where approved codes of conduct or certifications are in place; or (iv) where ‘Binding Corporate Rules’ approved by the European Commission have been adopted by corporate groups.
- Transparency: privacy notices and user contracts need to be simple, clear and easy to understand. When collecting personal data, it should be made clear, amongst other things, what the data will be used for, how and for how long it will be held, under what lawful basis it is being processed and what rights are available to the individual. Once lawfully gathered, personal data must only be used for the purposes that it was collected and strictly in accordance with the information given to the individual.
What does GDPR mean for businesses?
The GDPR is about being clear, honest, transparent and ethical with personal data. It applies to businesses that are data controllers (the person / business that determines how personal data is processed) or data processors (the person / business which processes personal data under instruction from the data controller). If you are such an organization, you must make sure you protect the data you use, and the privacy of those you’ve collected it from, as you would any other asset.
Here are five simple steps that you can take towards GDPR compliance:
- Secure your systems: ensure the systems that collect, process and store personal data are secure. You should consider things like physical security (e.g. locks), cyber security (e.g. anti-virus), system security (e.g. firewalls), data security (e.g. encryption) and device security (e.g. authentication).
- Document your data flows: map your data and information flows to help you make a proper assessment of your privacy risks. Check which of your products and services collect and process personal data. Identify what personal information is collected, why it is collected, how it is used, shared, stored, protected, retained and disposed. Identify whether the data is sensitive personal data and whether you are a controller or processor of that data.
- Have a lawful basis for processing: determine the lawful basis for the processing of personal data and document it. There are six lawful bases that can be relied upon:
- Consent: when there is genuine choice and control. Consent must be unambiguous, freely given, informed and be given by a clear affirmative action.
- Legitimate interest: can apply where personal information is used in ways that the individual would reasonably expect, there is minimal impact, and there is legitimate interest that is necessary for the processing to take place.
- Contract: to fulfill contractual obligations or there was a request to do something such as provide a quote prior to entering into a contract.
- Legal obligation: to comply with a law or statutory obligation.
- Vital interest: to protect someone’s life.
- Public task: for public functions or tasks in public interest.
The Information Commissioner’s Office has a lawful basis interactive guidance tool that can help you determine the most appropriate lawful basis for the processing of personal data.
- Review your notices and disclosures: review and update your privacy notice(s) to make sure they reflect your personal data processing activities. They should disclose what lawful basis you rely upon for the processing of personal data and clearly disclose the third parties you share personal data with.If relying on consent, make sure your requests for consent are clear and involve no pre-ticked checkboxes.Review and update or determine whether any other statements or disclosures regarding the collection, use and processing of personal information are required.
- Establish internal policies and procedures: establish guidelines and formalized processes to help you handle situations such as privacy complaints, data breaches and personal information access requests.
You should also talk to your legal advisers about what you need to do to be GDPR compliant.
This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.