What is GDPR and why should you care?
Wherever you look at the moment you will see someone discussing GDPR. Social Media is full of people discussing it. How it will affect you, how your business will have to change, and what it really means.
However, while there is a lot of accurate and valuable information out there, there is also a lot of speculation and guesswork.
In this article we will look at the facts around GDPR. What it actually is, what things it covers, and how it might impact an online businesses.
What is GDPR?
In 2012 the European Commission set out a plan to reform the data protection rules across the European Union in order to make it “fit for the digital age".
It took almost four years to agree on exactly what was involved in this and how it would be implemented.
One of the aspects of this reform was Regulation (EU) 2016/679, otherwise known as the General Data Protection Regulation. This was created to replace the Data Protection Directive (officially known as Directive 95/46/EC) which had been in force since 1995.
This new regulation was originally intended to become enshrined in EU member state law on the 6th May 2018, though for reasons best known to the Government it will officially come in to force in the UK on the 25th May 2018. Within the UK at least this will fully replace the current Data Protection Act 1998.
What will change?
One of the things we know is that GDPR imposes tougher restrictions on how personal data can be collected, utilised, and stored. It gives individuals greater say over what companies are allowed to do with their data, and imposes bigger legal penalties on companies who do not adhere to the regulations. There are exceptions built in for anti-doping agencies, journalists, and scientific researchers. But for everyone else it will mean changing the way we work.
Elizabeth Denham, the Information Commisioner in the UK, who will ultimately be responsible for enforcing GDPR, has stated that she believes it to be a step change for data protection, and that it is a natural evolution. However, there is a lot of misinformation, and scaremongering about GDPR. Naturally this has caused a lot of confusion.
So instead of adding in yet another opinion, here are some solid tangible facts about GDPR.
Article 5 of the GDPR states that personal data shall be “processed lawfully, fairly and in a transparent manner in relation to individuals”, however before we can understand what this means we need to understand the definitions of the terms used.
What is “personal data”?
In the context of GDPR personal data refers to any and all information that can be used to identify an individual. This includes, but is not limited to, names, email addresses, job titles, location data, or even your own unique identifiers. It makes no difference whether we are discussing automated data collection or manual data, and it even covers pseudonomous, or key coded data if the pseudonym can be easily linked back to a specific individual.
So in effect if you collect any information that can be used to identify a specific individual then the GDPR applies to you, and what you do with that data.
How does GDPR impact on businesses?
The new regulations separate businesses into two categories. That of “processors” and that of “Controllers”.
A controller “determines the purposes and means of processing personal data” whilst a processor “is responsible for processing personal data on behalf of a controller.”
What this means simply is that it is not possible to abdicate responsibility to a different company. If you use personal information that is processed by a different company or organisation then you are a controller. And the converse is also true. If you simply manipulate data provided by, and ultimately utilised by a separate organisation then you are a processor.
Whichever of these is the case, you are still subject to the regulations.
Processors will have specific legal obligations. For example, they will be required by law to keep accurate records on exactly what data they have, how they acquired it, and any processing that they have carried out on that data. This is enforceable both inside and outside the EU if the data in question relates to a citizen of an EU member state.
Exclusions apply for the purposes of law enforcement, national security, and data processing carried out by individuals for the purposes of domestic or household activities.
As the person or company ultimately responsible for the way personal data is processed the controller is subject to further legal obligations relating to their contract with the processor.
In this way a processor would be in breech if they utilised personal data in a proscribed way, yet the controller would also be in breech if the processor had utilised the data in a way that they were contracted to do so by the controller.
How will Brexit affect GDPR?
The UK is set to formally withdraw from the European Union in March 2019, less than a year after the implementation of GDPR. However, the Government has made it clear that this will have no effect on the law. The legislation will come into force before Brexit, and will remain in force after Brexit.
And so in the simplest possible sense, Brexit will have no effect on UK based businesses with regard to GDPR.
How will GDPR affect your business?
One of the reasons there has been such a vast amount of speculation and misinformation regarding GDPR is that there is no one size fits all answer to this question. As digital companies attempt to use the information they have in new and innovative ways in order to grow their business they will find GDPR will impact on them in a number of ways they did not necessarily predict.
However, there are certain things that apply to all companies.
If you collect customer email addresses in order to market your business then you may have to change the way you go about it.
You will not be allowed to send marketing or sales information to any individual unless they have specifically stated that they are happy for you to do so. This essentially means that you will have needed to ask their permission. Collecting their email for different purposes and then marketing to them will be considered a breech.
A simple example of this in practice is that marketing preference checkboxes on online forms will need to default to unchecked. That way it can be shown clearly that a conscious decision has been made on the part of the recipient. This is exactly why the national pub chain Wetherspoons recently deleted their entire email database. They had collected contact details when people signed up to use their free wifi, and used it to send out a regular newsletter. That was perfectly legal, but will not be so under GDPR.
Similarly, e-Commerce sites will no longer be able to collect the contact details of customers in order to send them marketing information just because they have bought there previously.
The Right to be Forgotten
This is one of the core tenants of GDPR. Simply stated, if someone asks to have their data removed from your system then you must do so. As long as the personal data you have on file is no longer necessary in order to carry out the purpose for which is was originally obtained then you have to comply.
This means that unless you have a current commercial justification for retaining someone’s contact details then you must delete them if they ask you to do so.
Of course this does not apply to marketing. If someone opts out of that you cannot continue to send them marketing information simply because that was why you originally obtained their details.
In practice what these two clauses together mean is that if you have a genuine commercial requirement to be able to contact your customers – often referred to in GDPR documentation as a ‘legitimate interest’ then you may do so. But if you do not have that, or if they have not explicitly stated that you are free to contact them, or even if they have previously done so, but they have withdrawn that permission, then you cannot contact them.
Find out more
This has been a very brief summary of a few of the implications of GDPR on the digital world. If you’d like to find out more then you can do so using the following links.
The full regulation: (this is not a small document, but well worth reading if it impacts on you and your business)
The ICO has published their 12 steps to prepare for GDPR:
If you’d like to find out more about how GDPR will impact on you specifically, then why not give us a ring? Our Security and Compliance consultants are experts in this field.