Countdown to the EU’s General Data Protection Regulation
30th September 2017
There seems to be a lot of confusion about what the GDPR means for companies and whether their customer data and marketing activities are compliant. Here we try and cover what you need to know.
What is GDPR'
The EU's General Data Protection Regulation (GDPR) is the result of four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used.
The current legislation, Data Protection Act 1998, was enacted before the internet and cloud technology created new ways of exploiting data. For example companies like Facebook and Google swap access to people's data for use of their services.
GDPR is designed to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market (the EU estimates this will save businesses a collective €2.3 billion a year).
When will the GDPR apply'
The GDPR will apply in all EU member states from 25 May 2018. Because GDPR is a regulation, not a directive, the UK does not need to draw up new legislation - instead, it will apply automatically.
Who does the GDPR apply to'
'Controllers' and 'processors' of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.
Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they're dealing with data belonging to EU residents. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
Ultimately, the GDPR applies to EU based companies and companies that collect data of EU citizens, regardless of a physical presence in the EU.
What happens after Brexit'
If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective of whether or not the UK retains the GDPR post-Brexit.
Karen Bradley, secretary of state for Culture, Media and Sport, said in October:
We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.
How does GDPR affect my marketing'
Data drives marketing. From basic contact information to specifics such as, age, household size and more, the most effective marketing uses customer data to create targeted campaigns. But under GDPR, you’ll need to legitimise your marketing activities by documenting and recording exactly how data is captured, stored, processed and managed.
What are the penalties for non-compliance'
Organisations can be fined up to €20 Million or 4% of annual global turnover for breaching GDPR. This is the maximum fine that can be imposed for the most serious infringements. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.
Do data processors need 'explicit' or 'unambiguous' data subject consent - and what is the difference'
The conditions for consent have been strengthened, as companies will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent - meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
To view the regulations in full click here