On the 27th April 2016, The General Data Protection Regulation, or GDPR, was officially adopted. Following a two year transition period, the GDPR will go into effect on 25th May 2018. This will also signal the end of the current Data Protection Act of 1998 as well as the EU E-Privacy Directive. If you’re unsure of what the GDPR is or how it will affect you, then edirect are here to help.
Let us break it down for you
What is the general data protection regulation?
The world that we live in today is far different to the one that existed when data protection was first implemented around 20 years ago. We are living in a technological age thanks to the introduction of smartphones, tablets, laptops and personal computers. As a result, there has been an exponential increase in the amount of digital information being created, captured and stored.
This increase means that the current data protection laws are simply inadequate and provide too many areas in which data can be misused. With The General Data Protection Regulation, data protection laws are being completely overhauled to bring them into line with the new technologically advanced world that we live in.
The GDPR is, in a nutshell, a new set of laws created to better govern how businesses handle sensitive personal data. It regulates how companies communicate as well as how they store and utilise customer information and will encompass any business that is associated with a European member state.
Why was such a regulation implemented?
Unlike its predecessors, the GDPR is a regulation and NOT a directive.
With a directive, goals are outlined and how the directive is interpreted differs from one country to the next. This creates a bit of a mess with multiple e-mail laws that make enforcing the directive a little tricky.
With a regulation, it is a binding legal agreement that carries serious penalties for failure to comply. There is one set of rules that ALL countries must abide by – no exceptions!
What about brexit?
Simply put; Brexit will have zero impact on the GDPR and its implementation. This means, that even after we have left Europe, businesses with European contacts or subscribers will still be required to follow the rules set out in the regulation or face the consequences. Here in the UK, the GDPR will be enforced by ‘The Information Commissioner’s Office’.
The UK will be implementing a new ‘Data Protection Bill’ which, aside from a few minor alterations, includes all provisions for the GDPR. In effect, the rules for us will be no different than for a business based in France, Germany, Spain or any of the other EU member states.
The data protection bill
As mentioned above, virtually all GDPR provisions will be implemented into the upcoming Data Protection Bill. There are some minor changes such as adding a layer of protection for certain individuals including researchers, agencies involved in anti-doping and journalists. As of writing, the bill is still yet to pass and has already been subject to some amendments.
Once the new bill is passed, the existing data protection laws will be repealed, and the new bill will come into full effect.
What is covered under the gdpr & how will my business be affected?
You will be affected by the GDPR regardless of whether you’re responsible for controlling or processing the flow of personal data. The regulation covers any and all data, both personal and sensitive that can be used to identify an individual. Such information can include, but is not limited to:
- Social Media ID
- Address (both residential and IP)
- Telephone Number
- E-Mail Address and more
Put simply; anything about a person that you acquire is covered by the regulation. Such information, as mentioned above, can be broken down into two categories – personal and sensitive. While the above largely relates to personal information, sensitive information can include, but is not limited to:
- Genetic Data
- Religious Views
- Political Views
- Sexual Orientation
- Medical History and more
While the definitions of the regulation are, for the most part, the same as the current data protection laws, the GDPR does differ in one area. Pseudonymised data can be covered by the regulation, but this is only provided that the individual in question can be identified by the pseudonym.
How will the gdpr change the current situation?
With the GDPR, there will now be a greater emphasis on transparency between businesses and their customers. Do you want to know what sort of information a company holds about you? Well, with this regulation in place the process becomes a whole lot simpler.
Furthermore, the responsibility of companies who hold and process personal information is far more cut and dry. Newly defined rules clearly outline the requirements of businesses to obtain the necessary consent – as well as be able to prove that consent has been given. A new fines regime ensures that any companies that fail to follow the GDPR to the letter will face serious consequences.
In essence, the GDPR ensures that the individual is protected at all times. Companies are required to operate with complete honesty, and the individual will be afforded new rights including:
- The right to have all of their data deleted
- The right to opt out of having certain data used
- The right to have incomplete data completed
- The right to know what data is being processed and how this is being done
- The right to move data from one organisation to another without issue
Personal data can relate to anything which can be used in the identification of an individual – so even a social media ID must be protected. Information must be obtained and processed only with the permission of the individual in question – this basically relates to everything that you do and should be written into your terms and conditions.
One thing to note is that there are two types of consent that you must consider. The type required depends on whether you are requesting and processing personal or sensitive data.
Unambiguous consent must be obtained for all personal data. For sensitive data, explicit consent must be obtained. It is important to understand this distinction, so you don’t end up in violation of the regulation.
How are businesses accountable? What must they do to remain compliant?
From data protection policies and impact assessments to documents pertaining to how data is processed, companies are now more accountable for how personal information is handled. If you’ve been watching the news over the last year, you will likely be well aware of several major data breaches that have occurred.
Under the new regulation, such breaches, or basically any situation that involves the destruction, loss, alteration, unauthorised disclosure of, or access to personal data must be reported. In the UK, you must report this to the International Commissioner’s Office 72 hours after the breach occurs. Such breaches that must be reported include any that might have a detrimental impact on an individual such as financial loss or breach of confidentiality.
Documentation on why information is being collected and processed complete with descriptions of the information must be kept by companies with more than 250 employees. The description should be accompanied by information on how long the data has been held for as well as what security measures have been implemented to protect it.
For larger companies that practise regular and systematic monitoring, a Data Protection Officer must be employed or assigned. The DPO will serve as a point of contact for employees, monitor compliance with the GDPR and report to senior members of staff.
Individual access to personal data
In the past, if you requested access to personal data being held about you by a company or organisation, you had to submit a Subject Access Request or SAR. This typically involved a £10 fee which under the GDPR is being scrapped. Upon a request for information being made, a company or organisation has one month to provide the requested data – free of charge!
In cases where consent is withdrawn, information was unlawfully collected and processed, or the information is no longer relevant, an individual can request that their data be deleted. The individual also has a right to an explanation of a decision made about them rather than being subject to automated processing of data.
How can edirect help?
With so much to consider and so many factors that may or may not affect your business, it can be difficult to know what to do for the best. Here at edirect, we have an in-house specialist who is fully qualified to help prepare your business for the GDPR.
From making determinations on what data is being held and updating procedures to putting in place a plan for what will happen in the event of a breach, we are here to help.
For businesses that are already complying with the current Data Protection Act, you will likely be already meeting most of the GDPR principles. Edirect will ensure that you’re meeting ALL the principles, and are entirely compliant with the regulation.
If you’re concerned about how the new GDPR will affect your business, make sure you give edirect a call today. You will speak directly with our in-house GDPR expert, Ollie Lawson, who is fully qualified to provide you with advice tailored to the needs of your business.
Ollie has undertaken the necessary GDPR – Practitioner (Project Leads/ DPO) training and is now a fully certified Data Protection Officer. His duties include assuming responsibility for data protection within the organisation, and ensuring that edirect is fully compliant with the GDPR. Through his knowledge and expertise, Ollie is well-placed to advise you on how to bring your company up-to-date with the principles outlined in The General Data Protection Regulation.
What comes next?
We can start by adding an SSL Certificate to your website which will encrypt all communication, including URLs. This will not only protect your browser history but also prevent tampering by third parties ensuring that any personal data is protected. An added bonus of an SSL Certificate is that it is also considered a ranking factor by Google!
As mentioned above, you must obtain permission for everything you do, and this information can all be written into your terms and conditions. Of course, you also have to prove that the individual has given their consent and this is where checkboxes come in. We can add checkboxes to your contact form that the individual must check to agree to the terms and conditions.
In doing so, they have provided you with their unambiguous consent (please note, that pre-checked boxes are in violation of the GDPR). These check boxes will read as follows:
“I consent to [COMPANY NAME] contacting me with future updates.”
Frequently asked questions
Here are some of the more commonly asked questions that people are asking in regards to the GDPR:
What is a breach of data protection?
A breach refers to any situation in which personal data is destroyed, lost, altered, disclosed or accessed without positive consent being given. Data breaches related to both personal and sensitive information must be reported to the ICO.
What is personal data under the GDPR?
As stated above, personal data under the GDPR is anything that can be used to identify an individual and can include their name, address, telephone number and social media ID.
What are the fines?
Basically, any violation of the GDPR will result in heavy fines. For instance, if a DPO isn’t employed or assigned when required or if data isn’t collected or processed correctly. The purpose is to work with companies who are in violation to improve the situation, so business-crippling fines will never be levied.
The amount a business will be fined will largely depend on the severity of the violation. Below is an outline of the sort of amounts that a company could be fined for:
- Smaller offences – fine of up to €10 million or 2% of a firm’s global turnover (whichever is greater).
- More serious offences – fine of up to €20 million or 4% of a firm’s global turnover (whichever is greater).
What is the difference between a ‘controller’ and a ‘processor’?
The simplest definition of each is as follows:
- Controller – an entity that is directly responsible for determining how personal data is used and for what purpose.
- Processor – person or group responsible for processing any information collected by the controller.
Obtaining, recording, adapting or holding personal data is, by definition, counted as processing.
While The General Data Protection Regulation might seem daunting, the long-term implications will be of great benefit to both businesses and individuals. It’ll help you to increase your engagement by demonstrating how seriously you take both privacy and security. This will help to build trust with your customers and make them feel more comfortable about entrusting their information to you.
To find out how edirect can help, simply e-mail us or give us a call.