What is the GDPR?
The EU’s General Data Protection Regulation (GDPR) was introduced to unify all EU member states’ approaches to data regulation, ensuring all data protection laws are applied identically in every country within the EU. It will protect EU citizens from organisations using their data irresponsibly and puts them in charge of what information is shared, where and how it’s shared.
The GDPR comes into force on 25 May – and even though the UK is due to leave Europe in the next 12 months, it will still apply to all businesses handling EU residents’ data, effectively replacing the Data Protection Act 1998.
Complying with GDPR is vital. Any business found not sticking to the rules could be charged fines of up to €20 million or 4% of the company’s global annual turnover, though the toughest fines will be reserved for the worst data breaches or data abuse.
Why was GDPR drafted?
The GDPR was created to regulate how businesses use data, ensuring it’s the same across the entire EU. Although it will apply to smaller businesses as well as large corporations, recent stories, such as the Cambridge Analytica scandal, have demonstrated how big organisations such as Amazon, Google, Twitter and Facebook are not strictly complying to a single set of rules.
The Data Protection Act 1998, the UK’s interpretation of the EU’s Data Protection Directive 1995, wasn’t envisaged with contemporary uses of data enabled by the internet and cloud, with people exchanging their personal data for use of ‘free’ services provided by the likes of Google, Twitter and Facebook, and GDPR aims to rectify this.
The second driver is the EU’s desire to give organisations more clarity over the legal environment that dictates how they can behave. By making data protection law identical throughout member states, the EU believes this will collectively save companies €2.3 billion annually. It should make complying less onerous for businesses, with them only required to meet one set of rules, compared to dozens of different implementations of the EU’s Data Protection Directive 1995.
So who does the GDPR apply to?
‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.
Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU residents.
It’s the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
When can I process data under the GDPR?
Once the legislation comes into effect, controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
What do you mean by ‘lawful’?
‘Lawfully’ has a range of alternative meanings, not all of which need apply. Firstly, it could be lawful if the subject has consented to their data being processed. Alternatively, lawful can mean to comply with a contract or legal obligation; to protect an interest that is “essential for the life of” the subject; if processing the data is in the public interest; or if doing so is in the controller’s legitimate interest – such as preventing fraud.
At least one of these justifications must apply in order to process data