GDPR or General Data Protection Regulation is a new set of rules designed to protect the data of people living in the European Union. It will drastically change how organisations can collect, store, process, and share the information of consumers.
The GDPR will supersede all current data protection regulations of countries in the EU — creating a single standard that all European organisations must adhere to. It will require most organisations to make significant changes to how they handle and secure user data. If your organisation does not comply with the GDPR by the 25th of May, 2018, you may face some serious fines.
This guide will share some information about why the GDPR was created, what its principles are and how your organisation should prepare for it.
What is the purpose of the GDPR?
Rapidly evolving technologies have changed how information is collected, stored, processed, and shared. It is now easy for an organisation to collect and store huge amounts of data. They can then process this data to obtain useful knowledge about members of the public.
Some organisations use the information they have collected inappropriately, selling it to other organisations without the user’s permission or processing it to obtain more information about the user. A great deal of confidential user information has also been stolen or leaked online as a result of organisations being hacked.
This has led to many consumers losing trust in the ability of organisations to handle their data appropriately. The GDPR has been created to restore consumer trust and give individuals more control over their data. It will also hold organisations more accountable for data protection.
The GDPR provides a standardised set of rules for businesses and organisations handling data obtained from EU citizens. This will make it easier for organisations to understand their obligations as they won’t have to deal with different regulations from many EU countries.
In the UK, the GDPR will work in conjunction with the Data Protection Act 1998 (DPA). It will be used to bring UK data protection laws in line with those in other EU countries. Even though the UK is set to leave the EU in 2019, it is expected that the GDPR will remain in place. The GDPR commences on the 25th of May 2018 and replaces EU directive 95/46/EC (EU Data Protection Directive).
Who does the GDPR apply to?
All EU organisations must abide by the rules spelt out in the GDPR. That includes businesses, charities, and government organisations. Organisations that reside outside of the EU but work with the data of EU citizens will also have to follow the GDPR.
Any service provider that handles the data of EU citizens will also use the standard. That includes Cloud storage providers, email marketing companies, analytics companies and so on.
Important GDPR terminology
To understand how the GDPR works, you will have to understand some basic terminology, including:
The GDPR is designed to protect the personal data of individuals living in the EU. The OECD defines personal data as any information relating to an identified or identifiable individual. This includes an individual’s:
- Name and address
- Unique identifying numbers – information including social security numbers and pension card numbers.
- Social data – information about an individual’s social connections, including the names of an individual’s friends or who they follow on social media.
- Demographics – demographics including the individual’s gender, age, sexual preferences, political membership, or income.
- User-generated content – images, comments, blog posts, and articles generated by the individual.
- Biometric and genetic data – any biometric or genetic data associated with the individual.
The GDPR is designed to protect data that can be connected to an individual. It is not concerned about anonymised data that cannot be connected to someone. However, if there is a way to connect anonymous data with an individual by processing it, it is covered under the GDPR.
The data subject, data controller and data processor
The GDPR uses three terms to describe the major players involved when handling data:
The data subject – this is the individual whose data is being collected, processed, stored, or shared. They are usually a customer, employee, contractor, or member of the public who simply visited a website and was asked to provide some personal information.
The data controller – this is the organisation that has collected data from a data subject. They are responsible for ensuring the data’s subject’s information is kept secure.
The data processor – this is an entity that handles the data at any point. This could be a third party company that runs statistical analysis on user data or a cloud-based data storage service. Web services like MailChimp, Google Analytics, Shopify, and Dropbox are considered data processors.
The data controller is responsible for choosing data processors that handle their user’s data appropriately and according to the rules laid out in the GDPR. If the data controller chooses a data processor that does not keep user data secure, they may be liable.
What are the key principles of the GDPR?
The GDPR was designed around several guiding principles. They include:
Data protection principles
Any personal data that is collected by an organisation must be protected and handled carefully. All data must be:
- Processed lawfully, fairly and transparently
- Collected for a specific and legitimate purpose
- Limited to what is necessary for a specific purpose
- Kept accurately and kept up to date
- Stored only as long as is necessary
- Kept secure and confidential using the appropriate technologies
The GDPR specifies that organisations must develop effective processes for data protection. That includes using the appropriate technologies, training staff members, and creating rigorous procedures for data protection.
Organisations must obtain permission from an individual before collecting, storing or processing their personal data. They can only process personal data if they:
- Have received authorization from the individual who owns the data
- Are using the data to protect the interests of the individual
- Are using the data for the public interest (usually research)
- Must use the data to fulfil a contract
- Are meeting the legitimate interests of the organisation
Accountability and governance
An organisation must be able to demonstrate their compliance with the GDPR. This is done by:
- Keeping a record of consent from users
- Keeping records of how data has been collected, stored and processed
- Training staff on GDPR principles
- Appointing a data protection officer
- Documenting data protection policies
The GDPR has stricter rules regarding how organisations obtain consent from users. They include:
- Requests for consent must be easy to understand
- Consent must be given freely and in an unambiguous way
- The user must be aware of how you intend to use their data
- Consent can be withdrawn at any time
- Organisations must store evidence of user consent
Individual right to privacy
The GDPR gives individuals a higher level of privacy. It does so by giving them the right to:
- Request access to the data that an organisation has on them
- Alter inaccurate data that an organisation has on them
- Object to their personal data being held by an organisation
- Have personal data erased on demand
- Move personal data from one provider to another
Users have the right to understand precisely how an organisation is going to use their information and how long the organisation will have it.
Reporting of data breaches
The GDPR requires organisations to be more transparent about the data breaches that they experience. All data breaches must be reported to the data protection authority within 72 hours of discovery. The organisation must also inform users if their data has been affected, when there is a high risk to the user’s rights and freedoms (e.g. personal information has been taken which could lead to identity theft).
Preparing for the GDPR
The GDPR becomes enforceable on 25th May 2018. After this date, any business or organisation that deals with the personal data of EU citizens must comply with these new regulations or face serious fines.
The Information Commissioner’s Office (ICO) has created a comprehensive guide to the GDPR and a 12-step guide to getting your organisation ready for the GDPR. Both of these resources are very useful and will help your organisation prepare for the upcoming changes.