When did the GDPR come into effect?
The Regulation came into effect on the 25th May 2018.
Who does GDPR apply to?
Any organisation which processes and holds the personal data of data subjects residing in the EU will be obliged to abide by the laws set out by GDPR. This applies to every organisation, regardless of whether or not they themselves reside in one of the 28 EU member states if they hold data belonging to EU nationals. There ae also adequacy agreements with 12 other countries additional to the EU member states and the three EEA states whereby the EU believe that data will be protected to the same degree as currently granted by European law.
What responsibilities will companies have under this new regulation?
The rules governing how personal information is used will become much stricter and GDPR introduces regulations that significantly widen the control owners of personal data have. This means that companies will have to clearly demonstrate that they have consent to hold personal data and justify why they need it, switching the onus from an opt out approach to ensuring that individuals opt in, the regulations are consent centric.
What kind of information does the GDPR apply to?
The current Data Protection Directive defines personal data as; “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
This has been extended to include your personal data online, like your IP address, physical information from your computer, such as a MAC address, online financial information and even social media posts. The GDPR will also include Sensitive personal data, which are special categories of personal data which uniquely identify a person.” This will include genetic data and biometric data.
Are there any specific rules businesses should be following in order to ensure compliance?
Yes there are – Article 5 of the EU GDPR sets out six privacy principles relating to personal data:
- Data should be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)
- Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Data should be adequate, relevant and limited to what is necessary in relation to the purposes for which it are processed (‘data minimisation’)
- Data must be accurate and where necessary kept up to date. Where data is inaccurate, it should be erased without delay
- Data must be kept in a form that permits identification of a subject for no longer than is absolutely time necessary
- Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)
What are the penalties be for failing to comply with GDPR?
Failure to comply with the GDPR carries penalties that are far heavier than the current Data Protection Act (1998) However, they have introduced an approach whereby the severity of the fine will be determined by the characteristics of the breach. Overtly not complying with GDPR or ignoring formal written warnings from the ICO will likely carry the heaviest fines. Ignorance is not an excuse and companies in violation may have to have regular data integrity audits. The maximum fine a company can face is 4% of their annual global turnover, or €20 million, whichever is the highest.
What effect, if any, does Brexit have on GDPR?
Even though UK Prime Minister, Theresa May, has now announced a definitive date (29th March 2017) to begin the process of leaving the European Union and Britain is set to come out of the European Union in 2019, most if not all of the GDPR is set to be adopted into UK legislation as early as December 2018.
However, regardless of how much or little Britain decides to adopt of the GDPR (and it is likely that it will be most of it), British companies will have to adhere to the exact same rules and regulations as companies located anywhere in the world, and should not expect any divergence from the GDPR concerning personal data held in the UK.
Do all organisations now have to appoint a Data Protection Officer (DPO)?
It is not necessarily compulsory for all organisations to appoint a DPO as this will be dependent upon a number of factors. According to the ICO, a company should appoint a DPO if:
- You are a public company or a public authority (with the exception of courts acting in their judicial capacity)
- You are engaged or carry out large-scale systematic monitoring of individuals, and user data
- Your organisation processes large volumes of personal data or carry out large scale processing of special categories of data or data relating to criminal convictions and offences
Even if you don’t appoint a DPO for your company, you must ensure that you have the resources in your organisation to comply with the obligations under the GDPR.
I store my data elsewhere with a cloud provider Am I still liable?
If you store your data with a cloud provider, you are not exempt from the GDPR and should your cloud provider fail to comply with the GDPR, you will not be able to blame them.
What rights do individuals have under GDPR?
There are 8 fundamental rights of individuals under GDPR. These are:
- The right to be informed – Organisations must be completely transparent in how they are using ALL personal data.
- The right of access – Individuals will have the right to know exactly what information is held about them and how it is processed.
- The right of rectification – Individuals will be entitled to have personal data rectified if it is inaccurate or incomplete.
- The right to erasure – Also known as ‘the right to be forgotten’, this refers to an individual’s right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue.
- The right to restrict processing – Refers to an individual’s right to block or supress processing of their personal data.
- The right to data portability – This allows individuals to retain and reuse their personal data for their own purpose.
- The right to object – In certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
- Rights of automated decision making and profiling – The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.