Here’s everything you need to know…
Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive, but this will be superseded by the new legislation. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
25th May, 2018
It affects every business within all 28 EU Member States.
GDPR also businesses outside the EU who process the personal data of EU residents and offer them goods and services, irrespective of whether payment is required; or where the processing by a business relates to the monitoring of the behaviour of EU residents in so far as their behaviour takes place within the EU.
Yes. The GDPR will go into effect before the 2 year leave deadline of Brexit and UK firms must comply with GDPR until then. Even after Brexit, UK firms that offer goods or services to EU residents still need to comply.
You may be fined up to €20mm or 4% of your worldwide turnover (revenue), whichever is greater. You may also be subject to lawsuits by affected data subjects.
In the first instance, Member States will have individual discretion on criminal sanctions for GDPR infringements. Though it is too early to predict how different supervisory authorities (SAs) will enforce their powers, it seems inevitable that Member States will have variable approaches.
Once the legislation comes into effect, controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
'Lawfully' has a range of alternative meanings, not all of which need apply. Firstly, it could be lawful if the subject has consented to their data being processed. Alternatively, lawful can mean to comply with a contract or legal obligation; to protect an interest that is "essential for the life of" the subject; if processing the data is in the public interest; or if doing so is in the controller's legitimate interest - such as preventing fraud.
At least one of these justifications must apply in order to process data.
The GDPR categorizes a broad swath of data that a person could be identified from, such as name, email, location, IP address, tattoos and online behaviour as personal data.
People can ask for access at "reasonable intervals", and controllers must generally respond within one month. The GDPR requires that controllers and processors must be transparent about how they collect data, what they do with it, and how they process it, and must be clear (using plain language) in explaining these things to people.
People have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it's stored for, and who gets to see it.
This is the right of the individual to have their personal data deleted “without undue delay”, for example where data is no longer necessary for the purposes it was initially collected or processed.
Controllers must now store people's information in commonly used formats (like CSV files), so that they can move a person's data to another organisation (free of charge) if the person requests it. Controllers must do this within one month.
Providing they meet the new rules, existing consents should still apply. Where personal data is processed for direct marketing, the individual’s right to object should clearly be brought to their attention.
In general, consent needs to be explicit, opt-in, and freely given. This means popular opt-out based consent of today will no longer be acceptable.
No longer can consent be obtained by silence or opt-outs, instead an active process (e.g. ticking a box) must be completed to class as consent. Companies must be able to demonstrate that the individual has actually given consent for their data to be processed.
The new rules outline that “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
Yes! If customers haven’t opted-in to your communication, it’s a breach of GDPR.
If you suffer a data breach that puts the rights and freedoms of individuals at risk, you must notify a data protection authority (the Information Commissioner's Office (ICO) in the UK) within 72 hours of your organisation becoming aware of it.
While you can't be expected to detail every aspect of a breach upon discovering it, you should notify the data protection authority of the nature of the data that has been breached, and the approximate number of people affected. You should also detail the potential consequences for those people and what measures you have taken or plan to take.
It is not necessarily compulsory for all organisations to appoint a DPO as this will be dependent upon a number of factors. According to the ICO, a company should appoint a DPO if they:
Any organisation is able to appoint a DPO if they wish to do so. However, even if a company chooses not to appoint a DPO because the above doesn't apply to them, they must still ensure that they have sufficient staff and skills in place to be able to carry out their obligations under the GDPR.