What is GDPR? The need-to-know guide
General Data Protection Regulation, or GDPR, will overhaul how businesses process and handle data. This need-to-know GDPR guide explains what the changes mean for you.
Next month, data protection rules across all of Europe will see their biggest change in two decades. Since the laws governing how people’s data should be handled were drawn up in the 1990s a lot has changed. We now create huge amounts of digital information each day and everything from mobile phones to smart watches collect data that could identify us.
In short, the laws overseeing our personal info aren’t fit for purpose anymore. The result is the mutually agreed European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. It will change how businesses and public sector organisations can handle the information of their customers customers.
To help understand these changes, here’s WIRED’s guide to the GDPR.
What is GDPR exactly?
The GDPR is Europe’s new framework for data protection laws — it replaces the previous 1995 data protection directive, which current UK law is based upon.
The EU’s GDPR website says the legislation is designed to “harmonise” data privacy laws across Europe as well as give greater protection and rights to individuals. Within the GDPR there are large changes for the public as well as businesses and bodies that handle personal information, which we’ll explain in more detail later.
The new UK data protection bill
The UK government’s new data protection legislation, which will implement the vast majority of GDPR was published on September 13, 2017. The bill must pass through the House of Commons and the House of Lords before it becomes law.
The bill will implement GDPR into UK law and largely covers all the main areas of the EU regulation. However, there is some flexibility on how individual countries implement GDPR. The government says its bill sets out a number of exemptions from GDPR. These, it says, include extra protection for journalists, scientific and historical researchers, and anti-doping agencies who handle people’s personal information.
Is my company/startup/charity going to be impacted?
In short, yes. The legislation will apply to companies of all sizes. Individuals, organisations, and companies that are either ‘controllers’ or ‘processors’ of personal data will be covered by the GDPR. “If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR,” the ICO says on its website.
Both personal data and sensitive personal data are covered by GDPR. Personal data, a complex category of information, broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address… you name it. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.
These definitions are largely the same as those within current data protection laws and can relate to information that is collected through automated processes. Where GDPR differentiates from current data protection laws is that pseudonymised personal data can fall under the law — if it’s possible that a person could be identified by a pseudonym.
So, what’s different?
In the full text of GDPR there are 99 articles setting out the rights of individuals and obligations placed on organisations covered by the regulation. These include allowing people to have easier access to the data companies hold about them, a new fines regime and a clear responsibility for organisations to obtain the consent of people they collect information about.
Helen Dixon, the data protection commissioner for Ireland, who has major technology company offices under her jurisdiction, says the new regulation was needed and is a positive move. However, she adds that while large businesses are aware of the upcoming changes there needs to be a lot more knowledge in smaller companies, including startups. “One of the issues with startups is that when they’re going through all the formalities new businesses go through, there’s no data protection hook at that stage,” Dixon says.
So, if you’re only just hearing of GDPR, here are some of the bigger changes to be prepared for.
Accountability and compliance
Companies covered by the GDPR will be more accountable for their handling of people’s personal information. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed.
For companies that have more than 250 employees, there’s a need to have documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place.
Additionally, companies that have “regular and systematic monitoring” of individuals at a large scale or process a lot of sensitive personal data have to employ a data protection officer (DPO). For many organisations covered by GDPR, this may mean having to hire a new member of staff — although larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers. “It means the data protection will be a boardroom issue in a way it hasn’t in the past combined,” Denham says.
There’s also a requirement for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person’s information they have to clearly explain that consent is being given and there has to be a “positive opt-in”. A blog post from Denham explains there are multiple ways for organisations to process people’s data.
Access to your data
As well as putting new obligations on the companies and organisations collecting personal data, the GDPR also gives individuals a lot more power to access the information that’s held about them. At present a Subject Access Request (SAR) allows businesses and public bodies to charge £10 to be given what’s held about them.
Under the GDPR this is being scrapped and requests for personal information can be made free-of-charge. When someone asks a business for their data, they must stump up the information within one month. Everyone will have the right to get confirmation that an organisation has information about them, access to this information and any other supplementary information. As Dixon points out, big technology companies, as well as smaller startups, will have to give users more control over their data.
One of the biggest, and most talked about, elements of the GDPR is the power for regulators to fine businesses that don’t comply with it. If an organisation doesn’t process an individual’s data in the correct way, it can be fined. If it requires and doesn’t have a data protection officer, it can be fined. If there’s a security breach, it can be fined.
These monetary penalties will be decided upon by Denham’s office and the GDPR states smaller offences could result in fines of up to €10 million or two per cent of a firm’s global turnover (whichever is greater). Those with more serious consequences can have fines of up to €20 million or four per cent of a firm’s global turnover (whichever is greater). These are larger than the £500,000 penalty the ICO can currently wield and, according to analysis, last year’s fines would be 79 times higher under the new regulation.
“Having larger fines is useful but I think fundamentally what I’m saying is it’s scaremongering to suggest that we’re going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm.” She adds that her office will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven’t made any effort.
What is personal data?
Personal data can be anything that allows a living person to be directly or indirectly identified. This may be a name, an address, or even an IP address. It includes automated personal data and can also encompass pseudonymised data if a person can be identified from it.
What is sensitive personal data?
GDPR calls sensitive personal data as being in ‘special categories’ of information. These include trade union membership, religious beliefs, political opinions, racial information, and sexual orientation.
How to prepare your business for GDPR
To help prepare for the start of GDPR, the ICO has created a 12-step guide.
The guide, which is available here, includes steps such as making senior business leaders aware of the regulation, determining which info is held, updating procedures around subject access requests, and what should happen in the event of a data breach.
The ICO says that “many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA)”. It adds for businesses already complying with the current data protection law, its highly likely they will be meeting many of the GDPR principles.
As well as this guidance, the ICO says it is creating a phone service to help small businesses prepare for GDPR. The service will provide answers about how small companies can implement GDPR procedures and starts at the beginning of November 2017.
Looking for more?
We don’t claim to have all the answers. In between a lot of GDPR hype there are some incredibly useful resources that have been published on the regulation. Here’s where to go if you’re looking for more in-depth reading:
– The full regulation. It’s 88 pages long and has 99 articles.
– The ICO’s guide to GDPR is essential for both consumers and those working within businesses.
– EU GDPR is the Union’s official website for the regulation. It details all you need to know and has a handy countdown clock for when GDPR will come into force.
– The EU’s Article 29 data protection group is publishing guidelines on data breach notifications, transparency, and subject access requests.