GDPR is a European Union piece of legislation, that will come into effect on 25th May 2018 regardless of Brexit and the UK leaving the EU. GDPR applies to “controllers” and “processors”. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the Data Protection Act, it is likely that you will also be subject to the GDPR.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
What information does GDPR apply to?
Like the Data Protection Act, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the Data Protection Act, it will also fall within the scope of the GDPR.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the Data Protection Act’s definition and could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data”. These categories are broadly the same as those in the Data Protection Act, but there are some minor changes.
For example, the special categories specifically include genetic and biometric data, where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
When can I process data under the GDPR?
Once the legislation comes into effect, controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
What do you mean by ‘lawful’?
‘Lawfully’ has a range of alternative meanings, not all of which need apply. Firstly, it could be lawful if the subject has consented to their data being processed. Alternatively, lawful can mean to comply with a contract or legal obligation; to protect an interest that is “essential for the life of” the subject; if processing the data is in the public interest; or if doing so is in the controller’s legitimate interest – such as preventing fraud.
At least one of these justifications must apply in order to process data.
How do I get consent under the GDPR?
Consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs.
Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want. If your current model for obtaining consent doesn’t meet these new rules, you’ll have to bring it up to scratch or stop collecting data under that model when the GDPR applies in 2018.
What counts as personal data under the GDPR?
The EU has substantially expanded the definition of personal data under the GDPR. To reflect the types of data organisations now collect about people, online identifiers such as IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, are also considered personally identifiable information.
Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.
Anything that counted as personal data under the Data Protection Act also qualifies as personal data under the GDPR.
When can people access the data we store on them?
People can ask for access at “reasonable intervals”, and controllers must generally respond within one month. The GDPR requires that controllers and processors must be transparent about how they collect data, what they do with it, and how they process it, and must be clear (using plain language) in explaining these things to people.
People have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it. Where possible, data controllers should provide secure, direct access for people to review what information a controller stores about them.
They can also ask for that data, if incorrect or incomplete, to be rectified whenever they want.
What’s the ‘right to be forgotten’?
Individuals also have the right to demand that their data is deleted if it’s no longer necessary to the purpose for which it was collected. This is known as the ‘right to be forgotten’. Under this rule, they can also demand that their data is erased if they’ve withdrawn their consent for their data to be collected, or object to the way it is being processed.
The controller is responsible for telling other organisations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.
What if they want to move their data elsewhere?
Controllers must now store people’s information in commonly used formats (like CSV files), so that they can move a person’s data to another organisation (free of charge) if the person requests it. Controllers must do this within one month.
What if we suffer a data breach?
If you suffer a data breach that puts the rights and freedoms of individuals at risk, you must notify a data protection authority (the Information Commissioner’s Office (ICO) in the UK) within 72 hours of your organisation becoming aware of it.
While you can’t be expected to detail every aspect of a breach upon discovering it, you should notify the data protection authority of the nature of the data that has been breached, and the approximate number of people affected. You should also detail the potential consequences for those people and what measures you have taken or plan to take.
You should also notify the people affected by the breach, even before you tell the data protection authority.
If you don’t meet the 72-hour deadline, you risk being saddled with a fine of up to €10 million, or 2% of your global annual turnover, whichever is greater.
Okay, what other consequences are there for failing to obey the GDPR?
Well, if you don’t follow the basic principles for processing data, such as consent, ignore individuals’ rights over their data, or transfer data to another country, the fines are even worse. Your data protection authority could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is greater.
If you require assistance with planning for GDPR, contact Ascentant for practical help and guidance.