The GDPR applied from 25 May 2018 to harmonise data protection law across the EU. It replaced the old 1995 EU Data Protection Directive – which each member state had to implement themselves in their national laws, hence the divergence. There’s never been a need for any Member State to implement GDPR; as a regulation it’s already direct law across the EU, and European Economic Area (EEA).
As a regulation, the EU GDPR applied directly across the UK as from 25 May 2018. When the UK left the EU, all EU law that applied to the UK as at 31 December 2020 was kept as ‘retained EU law’. That included EU GDPR which was changed minimally, mostly by replacing ‘the EU’ with ‘the UK’ and removing all references to Member States and EU collaboration.
In practical terms, for an organisation’s compliance, the UK GDPR is pretty well identical to the EU GDPR. The key difference is it applies to the UK only, so for example the territorial jurisdiction for determining when a transfer takes place under the UK GDPR is the UK.
Because they’re so similar (as at May 2022, watch this space…) we’ll just say GDPR in this post.
GDPR’s maximum fines are up to the higher of €20 million euros or 4% of global turnover. That’s a huge increase and put data protection on the Board Risk Register.
If those huge potential fines aren’t reason to comply, here are two reasons that key surveys say are often bigger.
As well as that Board-level risk rating, and those immense maximum fines, company directors are well aware of the potentially existential threat – particularly to their jobs – of the commercial ramifications of personal data breaches.
And GDPR’s in internal audits now – so they need a good answer!
GDPR’s also become embedded in due diligence by vendors, partners, and investors.
In a 2022 study by telecoms giant, Cisco, 90% of respondents stated that their customers wouldn’t buy from them if they weren’t adequately protecting their data, with 69% of those surveyed stating their own company was more attractive thanks to investment in Privacy.
By ‘you’ we’re really talking about legal entities, the employer in most cases. Employees are not controllers under GDPR (unless they go on a frolic of their own).
If you’re established in the EEA, GDPR clearly applies to you and everything you do with personal data. Simple! And it applies no matter where the individual resides or what their nationality is, whether they’re in Australia, the US or the EEA. All your processing is covered.
If you’re outside the EEA, in the USA for example, GDPR can still apply to you if you fall into one of three main buckets.
For completeness, there’s a rare fourth bucket, where GDPR applies because of public international law – for example, a consular post.
Under GDPR ‘personal data’ is ANY information relating to an identified or identifiable living person – the data subject.
And they can be identified directly or indirectly, in other words by that information alone or only or in combination with other information. Basically ANYTHING that directly or indirectly identifies or could identify a person, alone or with other information, is personal data under GDPR.
GDPR’s 7 Principles are set out in Article 5 of GDPR. For those who aren’t aware, an ‘Article’ is just a ‘section’ – so saying ‘Article 5’ is like saying ‘section 5’ for other laws.
First off, personal data shall be ‘processed lawfully, fairly and in a transparent manner in relation to the data subject’.
This is the Lawfulness, Fairness and Transparency Principle.
The focus here has mostly been on lawful and transparent, which gives you a very good position on fairness. So you may also hear this referred to as the ‘Lawfulness Principle’ or the ‘Transparency Principle’.
Personal data can only be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’.
This is the Purpose Limitation Principle and makes perfect sense; you can’t tell people you’re only processing their data to provide your software services to them, and then suddenly sell it to someone else for them to market insurance to them.
The key takeaway here is, when you’re creating your Privacy Notices for the Transparency Principle, make sure you cover the purposes for which you’re processing the data. It’s not easy to suddenly start processing for a new purpose if you hadn’t identified it up front.
There are certain exemptions for follow-on research and statistics which aren’t to be seen as incompatible. This is one area the UK is looking at clarifying in its upcoming review … we’ll see how that goes.
Personal data you process must be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’.
This is the Data Minimisation Principle and it ensures that you don’t collect more personal data than necessary for your stated purpose. Gone are the days of asking for a ton of data – or even not asking. Apps from times gone by used to scrape mobile phones for email addresses, other apps you used and much more.
Data minimisation has actually always been the case, but GDPR’s fines and increased awareness mean it’s clear you need to be focused on collecting only what’s necessary.
And the bonus of having less personal data is there’s less to protect against breach and less to search for a data subject request (DSR).
Personal data you process must be ‘accurate and, where necessary, kept up to date’.
This is the Accuracy Principle. Because data must be accurate, it also states that ‘every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay’.
This points to a couple of the data subject rights: the right to rectification (to correct inaccurate data) and one aspect of the right to erasure.
Now you have personal data, you must keep it ‘in a form which permits identification of data subjects for no longer than is necessary for the purposes’ for which it’s processed.
This is the Storage Limitation Principle. Again, there are some research and statistical exemptions.
When you hear the word ‘retention’ this is what it relates to: don’t keep personal data for any longer than necessary for your specified purposes.
Some retention periods are set out in law, for example on tax and maternity records, but in most cases this will be a commercial decision based on what is necessary -– and regulators aren’t in the mood to agree ‘infinity’ because you might need it in future. It needs to be related to the purpose.
Again, there are practical benefits from having appropriate retention periods and deleting – or anonymising – personal data: you’ll have less to protect and less to search in response to a Data Subject Request. A quick aside, though: you can’t delete it to avoid answering a DSR.
Of course, at all times, personal data must be secure. GDPR’s Security Principle requires that personal data is ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’.
This is the Integrity and Confidentiality Principle. It should’ve just been named the Security Principle really, as that’s how it’s most commonly referred to.
Security is fundamental to Privacy but as you can see, it is only 1 of 7 Principles; most of GDPR is not about Security. You can see a great overview in our ‘ISO 27001 is not GDPR’ video over on the Privacy Kitchen YouTube channel.
And if you’re a controller, you’re ‘responsible for’ and must ‘be able to demonstrate compliance with’ the other 6 Principles.
This is the 7th Principle – the Accountability Principle.
It’s the main change to the Privacy Principles brought in by GDPR. Although it’s number 7, you should bake this in from the start. GDPR enshrined Data Protection by Design & by Default into law, including various obligations on record-keeping.
The Accountability Principle means you have to have Privacy Governance in place, focused on GDPR, and be able to demonstrate that to the regulator and for example to stakeholders, including the Board, auditors, investors and customers.
GDPR’s requirement to put in place Governance, and demonstrate that to stakeholders, is why the Privacy Tech industry, including Keepabl, really came into being.
Don’t forget that, while GDPR is the bulk of the data protection rules for a private organisation, there’s also the e-Privacy rules set out in the EU e-Privacy Directive. As a directive, it’s had to be implemented in each Member State in their own law. In the UK, it’s PECR. These rules cover cold calling, email marketing, cookies and more.
And then there’s the other national data protection laws (in the UK it’s the DPA 2018) which deal with areas outside GDPR such as intelligence services and law enforcement (a different EU regime) as well as setting out the limited allowed exemptions or additions to GDPR.
Under GDPR, everything you do within your organisation relating to data protection must be ‘by design and by default‘, meaning that you have to consider the data protection principles in the design of any new product or activity. This principle is covered in Article 25.
Sign up to the Keepabl newsletter for valuable tips on how to operationalise Privacy in your organisation.
We all know GDPR is a minefield, and its complexity can sometimes leave organisations not knowing where to start.
At Keepabl, thanks to our fancy Privacy Management Tool, we can give you the headstart you need to get GDPR compliant simply and intuitively, making your organisation ‘privacy by design and by default’.
With instant Article 30 Records creation and rapid Data Mapping, you’ll be up and running in no time, with exportable reports at the click of a button to keep the Board and auditors happy. Our powerful Risk and Breach tools will also mean you’re on top of any GDPR risk and unfortunate slip-ups, and our solution gives a good nudge if you need to let the authorities know.
Check out what Times Higher Education had to say about their experience using Keepabl.
On 10 September 2021, the UK’s Department for Digital, Culture, Media & Sport (DCMS) launched Data: a new direction, a consultation seeking responses on a wide range of proposed changes…