GDPR: A Beginner’s Guide to the new General Data Protection RegulationGDPR. Four letters that you might never have heard before, but will be hearing a lot more of by May 25th 2018. These seemingly harmless four letters will have a massive impact on any business that handles EU citizens’ data and will have to abide by the changes it brings. This article is intended to explain the significance of the changes, and allow anyone at any company level to understand the impact and benefits of this regulation. From key decision makers to marketing teams, this guide explains why GDPR matters to them.
What is the GDPR?GDPR is shorthand for the new European General Data Protection Regulations – the biggest change to data regulation in the history of the EU. The GDPR gives people greater control over how their personal data is used and governs the way every business must handle personal data – including their employees. It also gives regulators greater powers to impose heavy penalties on businesses who fail to comply. In a recent survey four out of ten UK businesses said they would have to “cut staff or go out of business” if they were fined. Therefore it is imperative for businesses of all sizes to comply to avoid serious penalties and possible financial difficulties for their company. Taking action now to become compliant with GDPR can save your business money in the long term, and allow greater opportunity for SMEs in the digital economy, as our article will show.
A brief history of Data Protection in EuropeIn 2012 the European Commission (EC) put forward its EU Data Protection Reform to make Europe fit for the digital age. In December 2015 the EC reached agreement on a new set of rules. On 8 April 2016 the Council adopted the Regulation and the Directive. And on 14 April 2016 the Regulation and the Directive were adopted by the European Parliament. On 4 May 2016, the official texts of the Regulation and the Directive were published in the EU Official Journal in all official languages. While the regulation entered into force on 24 May 2016, it shall apply from 25 May 2018. In the UK, the main body dealing with data protection is the ICO (Information Commissioners Office). Since 1998 the Data Protection Act has been in place but will be replaced by the Data Protection Bill when the UK leaves the EU. In Ireland, the main law dealing with data protection legislation is the Data Protection Act 1988, which was amended by the Data Protection (Amendment) Act 2003. These will both be replaced by the GDPR.
Why was the GDPR drafted?Essentially the GDPR was drafted to strengthen citizens’ rights in the digital age and help businesses. It will provide a simple set of rules for companies to work with in the Digital Single Market. It will lead to less fragmentation, reduced administrative costs and mean savings for businesses of around €2.3 billion a year and a more streamlined policy for handling personal data. The reasons it was created were:
- There was a need for a simple unified legal framework for all EU countries to operate in to allow for consistency and transparency across 28 countries.
- Existing legislation has not kept up with the many ways companies can exchange and exploit a person’s personal data online. Each year it seems that more and more companies are being exposed as having flaws in their data storage, leaving the general public lacking trust in the security of their data. For example, the 2016 Yahoo data breach saw 1 billion accounts compromised. The aim is to build back up the public’s trust in the digital economy.
What is Personal Data?Whenever you shop online, join a social networking website or book a flight online, you hand over vital personal information such as your name, address, online identifier, health information, income and credit card number and more. Do you know what happens to this data? Is your data being used in marketing and by who? If this company suffers a data breach, is your information at risk? This is where GDPR comes into effect. Take the example of Max Schrems. In 2012 he filed a request for all his data held by Facebook and was sent a dossier of 1200 pages that included supposedly “deleted” messages. With GDPR European citizens joining social networks will now have full access to their information and have the “right to be forgotten”.
How will GDPR affect your personal data?Simply put, the implementation of GDPR will:
- Strengthen citizens’ rights – it will increase digital trust and therefore boost the online economy. The more people trust how their personal data is processed online, the more they will spend on online services. The value of European citizens’ personal data has the potential to grow to nearly €1 trillion annually by 2020 – a strong reason if any more was needed, to comply and gain EU citizens’ trust.
- Enforce an individual’s “right to be forgotten” – this means that if you no longer want your personal data to be processed, and there is no legitimate reason for a company to keep it, the data shall be deleted.
- Give citizens a right to data portability – i.e. the right to obtain a copy of their data from one internet company and to transmit it to another one without hindrance from the first company. This will allow for healthier competition and allow smaller providers and SMEs access to markets normally dominated by bigger providers.
- Apply data protection to new technological developments – changes in data storage, for example the arrival of cloud computing, have revolutionised the ways in which data is stored.
- Act as a“one-stop shop” on personal data – create a single DPA (Data Protection Authority) for companies with a head office in one country but franchises across the EU.
- Have one law to abide by – this will benefit businesses in Europe by reducing administrative costs and simplify the existing rules allowing for quicker resolution of issues and implementation of measures to secure the data.
- Make international cooperation easier – Instead of working around the data issues for 28 different countries, it will mean less legal tape to process and easier expansion into other countries for SMEs. In turn, this would help justice officials across countries in fighting international crime.
Penalties for non-compliance with GDPRThe GDPR now gives data protection authorities more robust powers to penalize companies. Currently, UK companies found to be in breach of the Privacy & Electronic Communication Regulations (PECR) can be fined up to a maximum of £500,000. However under the EU new General Data Protection Regulation (GDPR), there are 2 types of fines which would have a significantly bigger impact on a business:
- Administrative fine of up to €10 million or 20% of the total worldwide annual turnover of the preceding financial year (whichever is greater) shall be imposed for infringements on the GDPR’s code of conduct.
- Administrative fine up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year (whichever is greater) shall be imposed for actual data breaches.
Individual complaintsThe customers you contact using their information can also report you. Take the example of Flybe, who in August 2016, sent emails with the subject line, “Are your details correct?” to over 3 million people in their database. This included people who had previously unsubscribed from email communications. Flybe were fined £70,000 for breaking the Privacy and Electronic Communication Regulations (PECR). The GDPR makes it considerably easier for individuals to bring private claims when their data privacy has been infringed, and they can sue for compensation in serious cases.
What does it mean for my business?
- Communication: Using plain language, explain who you are when requesting personal data and why you are processing this data, how long you will store it for, and who will have access to it.
- Consent to process the data: in the instance of children and social media, checking the age limit for parental consent.
- Access and portability: let people view all the data you have on them and allow people to transfer this data from one provider to another.
- Warnings: informing people of data breaches or issues.
- Erase Data: this gives citizens the “right to be forgotten” i.e. the right to request that a company erases the personal data it is storing about them, for example the comments people make on social media in their youth are not always content they want their future employers to see.
- Profiling: if you are profiling someone’s information, for example for a loan application, financial institutions must now ensure the final decision is always made by a person and not a machine and the applicant has the option to contest the decision.
- Marketing: this applies to most companies operating in today’s business world. With GDPR there must be an option to easily opt out of this marketing at all times.
- Safeguard sensitive data: ensure an EU citizen’s data around their health, race, religion, sexual orientation and political beliefs is safeguarded at all times. This would apply to doctors and medical professionals.
- Transferring data outside the EU: making legal arrangement for any data being transferred to non-EU countries.
Are SMEs GDPR-exempt?SMEs are defined by the European Commission as being “The category of micro, small and medium-sized enterprises (SMEs) […] which employ fewer than 250 persons and which have an annual turnover not exceeding EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million.” Under the new GDPR outlined by the European Commission, there will also be a few exemptions given to SMEs.
- If the core activities of the company involve processing special categories of personal data (racial, ethnic, religious beliefs etc.) or they are processing large quantities of data; the company will be required to appoint a full-time data protection officer or DPO as this is sensitive data.
- Unless the SME is processing data regularly or at risk of breaching the rights and freedoms of the data subject, they will not be required to keep records of how they process data.
- If the data breach is considered “minor” and does not represent a high risk for the rights and freedoms of the data subject, SMEs will not be obligated to report the breach. If, however, the breach is considered to have a major impact on the data subject, they will be required to report the breach to all affected individuals.