GDPR – the General Data Protection Regulation – is an incredibly important and wide-ranging piece of legislation and impacts every business.
The GDPR replaces the Data Protection Act of 2018 (DPA 1998) and is essentially the biggest sea-change for data protection in more than two decades.
While the buzz started a few years beforehand, the GDPR actually came into effect on 25 May 2018.
It’s far bigger and broader than the previous DPA which means that GDPR compliance is more complicated.
In the simplest terms, the GDPR is designed to protect personal data linked to individuals. Of all the data protection laws that have been implemented, the GDPR is the first to give data subjects far more rights over the way in which any organisation processes personal data.
For businesses, the GDPR lays out a clear framework for exactly how to ensure that personal data breaches do not happen.
By laying out a framework for the kinds of processes that data controllers must implement, the GDPR means that the chances of a personal data breach are far lower.
GDPR forces organisations of all kinds to create and follow robust processes with which to process data – whether this is particularly sensitive personal data, biometric data, or another of the special categories.
Crucially, the GDPR’s implementation is also designed to protect data subjects’ rights by ensuring consumer data is only ever given over to an organisation with express consent from the individual.
The major differences between GDPR and older data protection laws (such as the Data Protection Act 2018) surround the definition of personal data and the role of data controllers at a business.
Under GDPR, ‘personal data’ covers far more connected with the data subject than ever before. Furthermore, data processors (this refers to any organisation that processes personal data for another business. Examples include outsourced financial services) are now legally obliged to comply with GDPR. This differs significantly from previous legislation, where they weren’t obliged to do so.
Legal obligations like this vastly change the role of the data processing firm and make it extremely high risk to fail to ensure compliance with the GDPR.
GDPR is more complex and wide-ranging than previous standard contractual clauses designed to avoid a data breach.
GDPR states that data subjects must opt-in and must be informed in clear and plain language exactly what they are opting for. Previously, the data subject would have to opt-out. In other words, the onus was on individuals to contact the data controllers and ask to be removed from mailing lists and any other processing of their personal data.
Since the GDPR was implemented, organisations must ask for consent from every data subject regarding their use of personal data from the very start.
Since the UK left the European Union and is no longer one of the EU member states, the UK GDPR has come into force. So far, this largely mirrors the EU’S GDPR under different supervisory authorities. However, the UK GDPR adds another layer of compliance for businesses inside and outside of the EU.
The data protection measures under GDPR impact every business at every level. Firms that act as data controllers must have data protection officers in place, and as it impacts cross-business contracts, lots of departments need to be involved.
Furthermore, everyone at the company itself must understand the data protection directive (GDPR) and how it impacts every piece of personal data that the organisation collects and processes.
GDPR compliance will affect every business sector, but there is, of course, more impact for some over others. For example, consumer-facing organisations, any business that trades with other international organisations and e-commerce organisations that rely on utilising massive tracts of personal data.
Personal data under the GDPR, according to the directive’s own definition relates to:
“… any information relating to an identified or identifiable natural or legal person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This personal data definition from the GDPR is rather difficult to understand at first reading. It means, essentially, that if the data gathered identifies one or more persons, then it is subject to GDPR.
The kinds of things that can be considered as identifiers to that person include location data, a cookie or an IP address. This is an important point to understand. Personal data does not have to be identifiable by a name to be covered by GDPR compliance.
According to the GDPR, for the processing of personal data to be considered lawful, fair and transparent across EU member states, one of the following criteria must be fulfilled:
Personal data under GDPR also includes various special categories such as sensitive data pertaining to religious beliefs, for example. Other special categories include the data subject’s political beliefs, religious beliefs, membership of trade unions, any biometric or genetic data, data linked to sex life or orientation or to the subject’s physical or mental health.
The personal data can be used again and processed for a brand-new purpose only if the new purpose is considered compatible with the original purpose under which the data was collected. This is subject to appropriate safeguards such as pseudonymised data.
The GDPR has changed the way in which businesses collect and process personal data. It has forced businesses to carefully consider under which lawful basis they want to process data under the General Data Protection Regulation.
Businesses have to now be far more thorough and rigorous in every dealing with personal data and must be fully aware of the kinds of rights data subjects now have under the General Data Protection Regulation.
As we’ve explained, consent surrounding personal data is extremely important for GDPR compliance.
If a data protection officer doesn’t follow the GDPR guidelines and establish clear lawful reasons for the data processing, then they will not achieve GDPR compliance.
But what does the GDPR specifically say about consent? The definition is:
“Consent of the data subject means any freely given, specific informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
In plain English, this means that consent is more important under GDPR than under previous data protection rules affecting EU residents. The UK GDPR follows the same definitions surrounding information security as the EU GDPR. This means that for data subjects, the issue of consent is the same.
The GDPR strengthens the meaning of consent from data subjects compared with older directives. Those involved with data processing must give the data subjects an increased amount of control and choice over the way in which data processing is carried out.
This means that it’s not enough under GDPR to get a single piece of consent for data usage, but that it’s an ongoing issue. Appropriate security must be in place to protect data subjects’ rights. The data controllers must communicate issues of consent using an easily accessible form every time and must constantly monitor compliance with GDPR.
In other words, the consent that data subjects give must be genuine under GDPR. If it is found that consent has not been freely given, then public authorities can restrict processing under certain circumstances.
Furthermore, consent may be deemed invalid by the supervisory authority if there is an imbalance of power between the data subject and the data processor. This would then lead to the consent being deemed non-compliance by the supervisory authority and potential criminal convictions for the organisation.
The Information Commissioner’s Office is clear that consent must be obtained again if the data usage is different to the first time it was obtained. They say that this would mean the consent is “misleading and inherently unfair”.
Failing to properly understand the GDPR and the data protection obligations it contains puts businesses at a high risk of non-compliance.
Non-compliance means the possibility of fines or other penalties for breaching GDPR and member state law.
Five years after GDPR was introduced, and with UK GDPR more clearly defined, data protection authorities expect businesses to be fully compliant. GDPR is a more complex and wide-ranging framework than previous data protection laws and, as such, demands much more from the organisation that wants to process a data subject’s personal data.
Read more about the GDPR and how it impacts an organisation or brand’s online reputation here.