The data protection rules in Europe are going through some massive changes. A huge amount of digital data is now being created on a daily basis and the rules have had to be re-written and are about to be enforced. From the 25th May 2018, the new European General Data Protection Regulation (GDPR) will update all the personal data rules.
In an increasingly digital era, the GDPR will bring about updates across the EU to all personal data laws. The previous data laws came about in the 1990’s and are now seriously outdated and haven’t kept up to speed with the levels of technological change.
GDPR will change the way how businesses and public sector organisations can handle the data of its customers when it starts to be enforced. It will boost the rights of individuals and give them greater control over their data.
The UK’s information commissioner, Elizabeth Denham, will be responsible for enforcing the new requirements. She has admitted that there has been a lot of “scaremongering” with regards to the new changes, so with this in mind we have put together a handy guide to explain exactly what is GDPR.
So what exactly is GDPR?
GDPR is the title for the new framework of European data protection laws. The current UK law regarding data protection is based on the 1995 data protection directive, which has now become very outdated.
The GDPR has been created to give a clear law that spans across Europe, making sure that all countries that are part of the agreement are singing from the same hymn sheet as well as giving greater rights and protection to individuals. The GDPR will bring about large changes for the general public as well as any business or organisation that handles or processes personal data.
It took over four years of negotiation to form the GDPR agreement that was accepted in April 2016 by both the European Council and the European Parliament. From there the GDPR directive and regulation were published.
After the publication in the EU Official Journal in may 2016 of the GDPR, the wider community was given a two year period in which to prepare for the changes with the ultimate deadline being the 25th May 2018.
A data protection act for a digital age
In the UK, the government has created the new Digital Protection Act which will replace the previous version that was written in 1998. The 2018 Data Protection Act spent many months in the drafting stage and has had to pass its way through the House Of Lords and the House Of Commons.
The document us a massive 353 pages long and can be found here.
The document largely includes all the points covered by GDPR with some minor differences for the UK. Under EU rules, individual countries were able to select certain parts of GDPR that could be customised to fit their specific laws.
Don’t our laws already cover data protection?
How your personal data can be used will change after GDPR takes effect. The new Data Protection Act will cover the UK and contains everything within the GDPR, although there may be some subtle changes.
Each member of the EU currently operates under the 1995 data protection regulation and also has its own national laws. How your personal data can be used by companies, organisations and the government in the UK is currently covered by the Data Protection Act 1998.
What effect is it going to have on my company/charity/startup/blog?
Individuals, organisations,and companies that are either controllers or processors of personal data will be covered by the GDPR. The ICO says on its website: “If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.”
Sensitive data and personal data are both covered by GDPR. Sensitive data covers genetic data, things like religious and political views, sexual orientation and trade union memberships. personal data covers any piece of data that could identify a person, so maybe name, emails address or even IP address.
So who is responsible?
Companies that are covered by GDPR will need to be more accountable for the way they handle people’s personal data.
For companies with more than 250 employees, there is a need to show why personal data is being collected and processed. This should also detail how long the data is being kept for and what security measures are in place.
It also says that companies should have regular monitoring of its processes, ensuring the safety of personal data at all times. For some organisations this may mean employing a dedicated data protection officer.
There is also a greater need for consent to be obtained when processing data. There will now need to be a positive opt-in to communications and pre-ticked agreements will now become a bin no-no.
Transparency about access to your data
GDPR will also give individuals greater access to the data held about them by companies. Currently, a Subject Access Request (SAR) allows businesses to charge £10 to be able to access the data that is held about them.
Under GDPR this is being removed and requests for personal data must now be free of charge. When someone asks an organisation for their data this must now be provided within 30 days.
The lgislation will also give individuals greater power to have the data held about them removed. Using the “right to be forgotten” law, companies and organisations should now make it easier for people to ask for their data to be removed.
But what about the £20,000,000 fines?
Let’s face it, one of the most hotly debated aspects of GDPR are the fines. If a company or organisation doesn’t handle data in the correct way, it can be fined. If an organisation is required to but doesn’t have a data protection officer, it can be fined. If there’s a security breach, it can be fined.
These monetary penalties will be decided upon by Denham’s office and the GDPR states smaller offences could result in fines of up to €10 million or two per cent of a firm’s global turnover (whichever is greater). Those with more serious consequences can have fines of up to €20 million or four per cent of a firm’s global turnover (whichever is greater). These are larger than the £500,000 penalty the ICO can currently wield and, according to analysis, last year’s fines would be 79 times higher under the new regulation.
How can I be ready for GDPR?
The changes brought about by GDPR will have varying levels of impact on businesses and organisations. For example, not every company will require a data protection officer. The ICO has produced a simple 12-step guide which you can find here, the help you prepare for GDPR.
ICO has said that many of GDPR’s concepts are the same as the current Data Protection Act (DPA) and that for businesses already complying with the current law, it is likely that they will already be meeting most of the GDPR principles.
As well as the guide, a phone service is available to help small businesses ensure they are compliant.
What if we are not ready by the deadline?
Organisations and businesses that will be impacted by GDPR have had two years to get relevant data protection systems in place. But as we all know, things don’t always run smoothly. It is likely that many organisations won’t be ready for the deadline of 25th May 2018. The UK information commissioner has stated she won’t be looking to make examples by issuing large fines when they are not deserved.
The ICO has stated that they would much rather engage with companies than to issue a penalty straight away. If companies and organisations have taken steps to comply and show awareness of the new legislation they are more likely to be treated with greater leniency.
Fancy some light bedtime reading?
If our blog has only wet your appetite regarding GDPR we have some further reading that may give you more in-depth answers.
Want to read the full GDPR document? You can find it here
Further advice and tips can be found in the ICO’s guide to GDPR. Pretty key reading for both organisations and individuals.