Disclaimer: This post is not legal advice. So ensure you check your specific GDPR circumstances with a lawyer.
TL;DR: The GDPR is a regulation that activated and became applicable on 25 May 2018. It changes how businesses globally handle the personal data of European individuals (whether online, digitally, or with hard-copy). This affects non EU-based sites and businesses too. You need to make your business and websites GDPR compliant, otherwise, you could be facing some serious fines!
To be honest, small, medium, big or huge businesses – it doesn’t really matter; all sizes of businesses should be scared. The reality is that bigger businesses are more likely to be able to tolerate any fines levied if they fall foul of the GDPR (and they can be huge).
But I’m getting ahead of myself.
Well, to answer that we need to know what the GDPR is. This next bit of background adds a little necessary context, but bear with me.
GDPR stands for General Data Protection Regulation. And the GDPR will replace the Data Protection Directive (DPD) of 1995.
A brief history lesson is this:
The GDPR allowed for a two-year transition to allow businesses to get ready for it. This means it became applicable on 25 May 2018.
For those that care, unlike the DPD, which was a Directive, GDPR is a Regulation. Which means it's already law. It doesn't require national governments to pass any enabling legislation (as was necessary to make the DPD law, by passing the DPA). In other words, and like it or not, it’s live now.
The GDPR is an EU law made up of a bunch of Articles. They cover things like scope, definitions, liabilities, remediation’s, penalties etc. All of the member states of Europe have a Supervising Authority (SA) that will advise and enforce the GDPR in their region. In the UK, the SA is the ICO.
Whilst all member states have agreed to the GDPR, each member state can add to it if they wish for their region. Germany is one such member state. The GDPR is tough as it stands but Germany is adding a bunch of extra rules, making it even tougher. So if you have data stored and / or processed in Germany, you may have even more hoops to jump through.
The full 88-page Regulation can be read by all and sundry by visiting the Europa website.
There’s also lots of other helpful (and easier to read) information surrounding GDPR on the ICO website. Definitely worth checking out.
So why would the ICO come knocking at your door? Well, if you have been wronged (from a data perspective), the ICO are the organisation you complain to. For example, you're still getting emails after unsubscribing from a list. Or you have asked an organisation what data they hold about you - and you get no response. The ICO has stated that they intend to process 100% of all complaints made.
It is worth noting that it matters not whether the UK is in or out of the EU. The GDPR will still apply. That said, post-Brexit there will likely need to be some tweaks to how it is applied.
The GDPR is not too dissimilar to its predecessor, the DPA. The DPA concerned itself with how organisations, businesses or the government use personal information. Under the DPA, those responsible for using data of this type are required to adhere to strict rules (known as data protection principals).
Ok, fair enough.
The GDPR takes those principals further and wider. Meaning the ICO
If businesses ignore this law, they can be fined up to €20m (Euros) or 4% of their global annual turnover (whichever is greater). In some cases, a business can actually be shut down!
Compliance will need a lot of time and effort from businesses. Many, many businesses are only now just beginning to realise what a mammoth exercise this is. And time is running out...
Of course, that all sounds like doom and gloom - and for businesses, it isn't going to be
funor a cheap exercise. Yet, we mustn't overlook the huge positives that the GDPR will bring to us as individuals. For us, the GDPR is actually an immensely good thing indeed. And very long overdue.
The rules are pretty complex, and it is easy to find them overwhelming. It’s mostly common sense really. The rules fall into six main principles.
Personal data must be:
Personal data under the GDPR is defined as data that can be used to identify a European individual. This is regardless of where – globally - that data resides. Personally identifiable data includes obvious things things like:
Perhaps less obvious (but now well and truly in scope) are things like:
The list is pretty extensive should you go look at the regulation. Pretty much anything is fair game as personal data if a European individual can be identified by it.
Three other key definitions that crop up throughout the GDPR that you will need to be familiar with are:
Bear in mind that a person, organisation, or agency can be both a Controller and a Processor.
The scope of the GDPR is defined in two ways - Material and Territorial:
Personal data that is:
Using personal data:
As you can see, the definition of what is personal data is much broader than before. And the GDPR has a much greater territorial reach. A global company that has EU personal data stored in the US, for example, is in scope and is liable!
The GDPR still applies when the source of the data was public domain (and so was freely available). Largely, the rules here are to do with the use of the data, and whether explicit consent becomes necessary. Using such data for profiling is an example where the GDPR has a greater effect than before.
Just a few of the key rules that fall out of the six main principles, described earlier, you'll need to get to grips with are:
If you haven't started to act then you need to start now.
This is an immense undertaking for the majority of businesses. It will require many (if not all) existing business and IT processes to be reviewed and changed. It will affect business websites and how they collect and / or process data. It also affects all agreements / contracts where personal EU data is shared. This is whether it’s just for consumption or for onward processing.
And finally, businesses will need to have agreements drawn up with entities within their own organisation if such data crosses country borders. And those agreements will actually need to be logged with the SA for that country.
Below this post you can download our check list on how to go about getting compliant for the GDPR.
If you need help with GDPR, please contact us through the form on our contact page.