The General Data Protection Regulation (GDPR) will come into force across all EU member states on 25 May 2018. Despite Brexit looming, the new data security and privacy rules will apply to UK organisations. The drafting of the UK government of a new Data Protection Bill also confirmed the intention to adopt the main tenets of the GDPR into UK law even after the country leaves the EU.
To ensure your business is meeting the directives laid out in the new regulations, here we’ve covered the key facts you need to know for your business.
What is the GDPR?
The General Data Protection Regulation (GDPR) is EU-wide legislation introduced as the result of four years of work to update data protection laws to fit the way data use has evolved with the evolution of digital technology.
At present, the UK relies on the Data Protection Act 1998, which followed the 1995 EU Data Protection Directive. These regulations are no longer viewed as fit for purpose in an age of mass data processing and collection, much of which is carried out on the assumption of tacit consent by the individual.
But as it is increasingly difficult for the general public to keep track of the personal data businesses keep about them and what it is used for, the GDPR aims to significantly strengthen individual rights in relation to data privacy. The overarching aim is redress the balance between the individual and organisations as to who controls digital data.
Key principles of the GDPR
In order to achieve this balance, the GDPR sets out a certain number of principles relating to the use of personal data.
Expanded definition of personal data
Under the GDPR, what counts as personal data will be a much broader category than current definitions. To obvious identifying information such as names, addresses, account and financial details etc, digital elements such as IP addresses and device IDs will be included, meaning organisations will have to be much more careful about how they do things like track customer browsing habits and collect online data for targeted advertising.
This will affect many businesses which process and hold customer data in CRM systems. It will also have a significant effect on major online companies such as Facebook, Amazon, Google etc, as well as internet service providers, which are known to benefit from selling user data to third party advertisers.
At the heart of the GDPR is the concept that EU citizens will have a clearly defined set of rightsregarding the use of their personal data. These rights include:
The right to be told what data an organisation holds about them and what it is used for.
The right to see any data held about them.
The right to object to data collection and use.
The right to request data be erased.
This represents a step change from the existing system of tacit consent. In basic terms, it will mean organisations have to be upfront about their data use, provide mechanisms for individuals to give or withdraw consent, and be prepared to delete records on request.
For employers, there will be specific ramifications in areas like running background checks on prospective employees. It has become common practice for companies hiring new personnel to use information available through the likes of social media to assess the suitability of candidates. Under the GDPR, it is likely they will have to seek consent before doing this.
The GDPR will make organisations more accountable for protecting data privacy in a couple of important ways. For one, it will require them to actively demonstrate how they meet the new requirements, in the form of adopting clear data protection policies. Second, it increases the penalties for data breaches and non-compliance, with possible fines up to 4 per cent of a company’s turnover.
Processing data under the GDPR
The GDPR is not intended to impede organisations using data for legitimate purposes. In fact, there is an argument that it provides a clearer legal environment for businesses to operate in, removing a number of grey areas which have emerged with the evolution of digital technology.
Also, with data protection laws almost identical throughout the EU, businesses have a far more level playing-field. Savings up to €2.3 billion a year are predicated simply as a result of these changes. Given the amount of business the UK does with Europe, businesses here will continue to benefit from these savings long after Brexit.
The GDPR does not go into much detail about practicalities. On data processing, it makes three simple demands:
- Personal data must be processed in accordance with individuals’ rights;
- It must also be used for a specific, clearly explained purpose, and for that purpose only;
- Once that purpose has been fulfilled, the data must be deleted.
If businesses can demonstrate they comply with these requirements, and take appropriate steps to ensure data security, the expectation is that the GDPR will make data use easier to navigate for most organisations.