Brought into effect in 2018 to replace the 1995 Data Protection Directive, the General Data Protection Regulation (GDPR) was introduced as a means to protect people’s privacy and outline the practices for which businesses were allowed to use personal data.
It was determined that the previous regulations had become outdated due to the data centric lifestyles we currently live, and as the online world continued to grow better protective measures were needed.
The EU introduced the regulation to harmonise the way in which countries across the Union handle our data and to provide greater protection and rights to its citizens. To accommodate different Countries’ requirements, an element of flexibility was allowed so that the individual States could create rules based on the GDPR framework and as such, we (United Kingdom) are governed by the Data Protection Act 2018.
The Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights. Comprehensive guidance on the GDPR, the Data Protection Act 2018 and their implications can be found at ico.org.uk.
Lawful Basis for Processing
The most important element for ensuring you have a compliant GDPR policy in place is to have a valid basis for processing personal data. The ICO state that you must comply with one of the six available lawful bases for processing: consent, contract, legal obligation, vital interests, public task or legitimate interest. The ICO has a useful tool for determining your lawful basis here.
No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual. You’ll need to decide which suits your requirements and document it.
Who Does It Affect?
In a nutshell, everyone. It affects all businesses and organisations within the EU regardless of whether you process data or not. Whilst it may not be obvious how it affects you, it is important to understand that if you offer goods and/or services to citizens within the EU, you must be compliant.
The crucial thing about what constitutes personal data is that it allows a person to be identified – pseudonymised data can still fall under the definition of personal data.
Are you compliant?
Some of the main principles to think about when considering if you are GDPR compliant:
- How you collect your data:
Any data collected on an individual must sit within one of the ‘Grounds for Lawful Processing’ and this must be made clear to the individual at the point of collection.
- How you store and manage data:
If you had a security breach or you lost your stored data, how is it protected? Are there preventative measures to stop people accessing it? If anyone distributes the information you’ve collected, you are breach of GDPR. Also, it is important to know that if any individual requests to know what record you hold for them that you respond within 30 days of their request.
- How you use an individual’s data:
You must only use the data for the intent in which it was harvested. This is why it is imperative that you know at the point of collection, what your data is to be used for with a clearly mapped strategy.
- How you share data:
If you intend to share this data with anyone, you must make the individual aware at the point of collection how and with whom you intend to do this. Make sure all end users are identified in your GDPR policy. Make sure you are sharing safely and responsibly and that you know where the data goes once shared!
- How you dispose of data:
Does your policy define the timeframe for which you’ll keep the data and was this retention policy made clear to the individual at the time of collection? Ensure you know when all your stored data was collected to ensure you dispose of it safely and confidentially at the right time.
- Management of your website:
You must only use the data for the intent for which it was harvested. This is why it is imperative that you know at the point of collection what your data is to be used for and that you make sure the individual from whom you are collecting also knows.
Failing to comply with the GDPR guidelines can result in huge financial penalties. These are determined on a case by case basis and split into two tiers with the higher penalties allowing up to 20 million Euros in fines or 4% of the company’s annual worldwide turnover (whichever is greater), or the standard penalties bringing a maximum of 10 million Euros in fines or 2% of the company’s annual worldwide turnover.
The ICO website publish all fines issued to those who breach the rules.
Brexit and the GDPR
The GDPR applies to all companies based in the EU and those with EU citizens as customers. It has an extra-territorial effect, so non-EU countries are also affected. This means that although the UK has left the EU, as long as a business continues to work with EU states, the GDPR laws are still in effect and businesses will need to adhere to the rules to avoid penalties.
Previously, the EU dictated these laws, but it now is under the remit of the UK government. This means the UK has the powers to review and amend the regulatory rules as required. Any changes made will impact UK GDPR only.
Moving forward, you may need to alter your GDPR policies and processes to align with UK GDPR, including changing relevant documentation. This may include updating your privacy notices, data protection impact assessments, data subject access requests, and data flow documentation to reflect the UK as independent of the EU and represent the wording shown in the UK GPDR regulation.
Transcribe this have a comprehensive GDPR compliant data security policy and ensure all our data is stored, managed and disposed of in safe and confidential manner.
If you have questions around GDPR, we can help you drawing our own experiences, or perhaps we can help to take on the administrative burden, collecting the data on your behalf.