Have you heard about GDPR – the biggest changes to data protection regulations for 20 years? There have been a significant number of articles and bulletins published on this already – in fact your inbox may have been so full of weighty updates that you have been put off reading them.
We want to put things into bite size chunks and not give you information overload. For that reason, we are putting together various updates over the next couple of months to provide you with key information to steer clear of the pitfalls associated with GDPR.
So what is GDPR? It stands for the General Data Protection Regulation and is a new data protection standard emanating from Europe. It affects anyone holding personal data on EU citizens, whether or not the data holder is based in the EU – i.e. it will continue to apply after Brexit if you process personal data from outside the UK, whether or not the UK government withdraws its effect.
When does it come into effect? GDPR is set to come into effect on 25 May 2018. That means businesses need to start to consider its impact in advance of that date to ensure that they are compliant from the start of the new regime.
Recap on personal data, data controllers and data processors
Before getting into the detail of GDPR, it is helpful to refresh on some of the applicable terms.
Personal Data – Information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. There are a wide range of personal identifiers covered including name, identification number, location data or online identifiers such as IP addresses, cookies and e-mail addresses.
GDPR applies to Personal Data whether it is manually or automatically compiled, where the Data can be accessed using specific criteria. It may also be that pseudonymised data is covered by GDPR, depending on the difficulty involved in attributing the data to a specific individual.
Special Categories of Personal Data (Previously Sensitive Personal Data) – These are subject to greater restriction of processing and include categories such as racial, ethnic, religious, political, genetic and biometric data.
Additional restrictions are in place for personal data relating to criminal convictions and offences.
Data Controller – An entity that requires the processing of Personal Data and has responsibility for the ways, means and reasons that it is processed by a Data Processor.
Data Processor – An entity that has responsibility for the processing of Personal Data on behalf of a Data Controller.
A few words on Consent – We are all used to operating under a regime where consent is required to use Personal Data. GDPR, however represents a change to how valid consent is obtained. Under the old regime, there was a one size fits all approach with one consent being possible for multiple uses.
The new regime requires specific consent for different uses of information. So if you intend to market to an individual it will not be enough to rely on a consent given for another purpose.
The presumption of consent by having tick boxes ready completed is also precluded and explanations as to how it is intended to use Personal Data must be more clearly defined in plain language. Moreover, it needs to be as easy to withdraw consent as it is to give it.
Early consideration should, therefore, be given to how you obtain consent and whether or not that will remain adequate under GDPR.
So what do you need to do before 25 May 2018? The two key things are to check your own compliance with GDPR where it applies to your business and to check the compliance of any third party contractors you use to help you deal with personal data – e.g. software providers and website hosts.
Also, keep an eye out for our future updates. In these, we aim to help you identify where your business will be affected, so that you can ensure that your risks are covered off. You should also remember that the Information Commissioner’s website (https://ico.org.uk/) has many useful articles and checklists to help you steer clear of trouble.
This update is for general information only and is not legal advice. If you need that, please get in touch with our friends at (www.punklegal.co.uk).