What is GDPR?

A refresher on why GDPR, what it is, and the huge changes it created

What is GDPR?

It’s so easy to get stuck in the weeds on GDPR.  So we’re going to take a high-level look at ‘What is GDPR?’, why it came in, and the huge changes its created, focusing on the differences to the 1998 UK Data Protection Act and the 1995 EU Data Protection Directive.

Stay with us as we’ll put up a link to download a neat one-page index to GDPR’s articles at the end – really handy when people are rattling off ‘Article 6 this’ and ‘Article 28 or 30 that’.  And we’ll link to some great guides on GDPR.

And you can watch our FREE video: ‘What is GDPR?’, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy.  If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.

First, why GPDR?

Well, the old EU law was a Directive which had to be implemented by each Member State separately.  While the Directive’s intention was to harmonise the law on data protection and remove bumps in the road to the single market, it was implemented quite differently throughout the European Economic Area (‘EEA’).  Organisations operating in more than one Member State found it hard to address and manage compliance.  And the significant technology advances since 1995 also put pressure on lawmakers to update the legislative landscape.

GDPR took effect 25 May 2018 and tries to harmonise those laws and practices because, as a Regulation, it’s direct law throughout the European Union (‘EU’) and the EEA.  There’s no need for any Member State to implement GDPR, it’s already there.

The main changes

Every area pre- GDPR is still there, just more so, and there are key new areas.  So we’ll concentrate on the differences to the old law.

Fines!

GDPR massively increased the maximum fines in the UK from £500,000 to €20 million euros or 4% of global turnover if higher.  If those huge potential fines aren’t reason to comply, here are two reasons that key surveys say are often bigger.

  • First, internal compliance requirements.  As well as those fines, company directors are well aware of the potentially existential threat – particularly to their jobs – of data breaches.  And GDPR’s in vendor due diligence, customer due diligence, it’s also in internal audit – so they need a good answer.
  • Second, it’s those partner and customer expectations: GDPR’s now in due diligence by vendors, partners, investors – and particularly when people outside Europe are selling into Europe.

Global Scope

So, talking of outside Europe, when does GDPR apply to you?  And by ‘you’ we’re really talking about organisations, although it will also apply if you’re an individual processing personal data outside of normal personal or household activity.

If you’re established in the EEA, GDPR clearly applies to you and everything you do with personal data.  Simple.

If you’re outside the EEA, in the USA for example, GDPR can still apply to you if you fall into one of three main buckets.

  • First: you’ve an establishment in the EEA and your processing is ‘in the context of the activities’ of that establishment, GDPR will travel with that personal data and apply to you for that processing.
  • Second: you offer goods or services to individuals in the EEA. It doesn’t matter where those individuals reside or what nationality they are.
  • Third: you monitor the behaviour of individuals in the EEA.

For completeness, there’s a rare fourth bucket, where GDPR applies because of public international law – so, for example, a consular post.

Personal Data

Personal data is essentially the same under GDPR as the old law, but GDPR makes clear just how broad that definition is and it adds genetic and biometric data to ‘special categories’.

So ‘personal data’ is still any information relating to an identified or identifiable living person – the data subject – and they can be identified directly or indirectly, so, by that information or in combination with other information.  Basically anything that directly or indirectly identifies or could identify a person, alone or with other information.

7 Principles

GDPR’s still a principles-based law.  The first 6 principles were already there in the UK’s 1998 Act, so we’ll just list them here and then look at the big change: Accountability, the Seventh Principle.

  1. Lawfulness, fairness and transparency: personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
  2. Purpose limitation: personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  3. Data minimisation: personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accuracy: personal data shall be accurate and, where necessary, kept up to date.
  5. Storage limitation: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  6. Security (ok, they call it integrity and confidentiality): personal data shall be processed in a manner that ensures appropriate security of the personal data.

Accountability: the 7th Principle

Accountability means that ‘the controller shall be responsible for, and be able to demonstrate compliance with‘ the first 6 Principles.

In particular, this means being able to demonstrate your compliance – and that’s not always easy.   If you don’t have things written down, on paper or digitally in a solution such as Keepabl, there’s no way you’ll be able to do this.  Fines are also coming through on this aspect too, and it’s something regulators are focusing on.

Lawful Grounds

GDPR’s first principle is about lawfulness and, for your processing to be lawful, you’ve got to identify which of the 6 lawful grounds – or legal bases – applies before you process that personal data.  Again, all were there in the 95 Directive and in the UK’s 98 Act, so we’ll focus on key changes.

Consent

Consent, the grand old dame of Privacy got new teeth and, as a result, it’s dropped from number 1 to number 4 in the charts.  You now need to keep detailed records and you may need separate consents for different purposes.  Importantly, you can’t use it where there’s no real choice about giving that consent – so, in most employment situations and when dealing with public bodies.

It’s definitely not the consent you knew under the 98 Act.

Legitimate Interests

The new old kid on the block is ‘necessary for your legitimate interests’.  GDPR gives examples here, including ensuring network and information security, and even direct marketing.  But there’s some controversy around how far you can push legitimate interests, and you also need to consider the interaction of the e-Privacy rules, which, for example, dictate consent for many cookies.  And public authorities can’t use this in carrying out their duties.

And just as before, if you’re wanting to process special categories of data or personal data related to criminal convictions and offences, you’ll need one of the 6 grounds, plus one of the additional grounds particular to the type of data.

GDPR & Controllers

Let’s look at eight key changes for controllers under GDPR.

#1 Privacy Notices

Requirements on privacy notices, the information you provide to data subjects about what you collect and what you do with it, have become stricter.  So you do need to update your old ones to meet GDPR’s requirements, and you’ll have seen this in particular around cookie notices.

#2 Processors

A bigger change is when you use processors.  What used to be a little bit of due diligence and a paragraph in contracts has become much more extended due diligence, including sub-processors, and a multi-page Data Processing Addendum.  Happily, these have become pretty common.

#3 Breach

A huge change is Breach Notification: every controller’s now legally obliged to notify personal data breaches to the authorities within 72 hours of becoming aware of them, unless there’s unlikely to be a risk to the individuals, and to notify the effected individuals if there’s a likely high risk to them.

This is huge because, before GDPR, basically only ISPs and Telcos had to notify breaches.  Now it’s everyone and there’s a 72 hours requirement.

#4 Data Subject Rights

Existing Data Subject Rights or DSRs were so strengthened and joined by a couple of new ones, it’s worth calling it a new area.  Individuals, or ‘data subjects’, can ask for access to the data you have on them, correct it and erase it, just like they could before, but they can also now port it to someone else, restrict your use of it and object on broader grounds to your using it.

Some requests, you’ve got no choice but to comply – for example, withdrawing consent for using their data for marketing.  Others are subject to certain conditions, so you need to ensure you get that right and have a team trained on how to deal with them.

#5 Privacy Governance

GDPR now means you have to implement ‘Data Protection by Design‘ and ‘Data Protection by Default‘.  What that means is incorporating data protection principles from the start of any project – that’s the ‘by design’ bit – and ‘by default’ ensuring that they’re your default setting across the board.

Your Privacy policies and procedures will help you here, including your risk assessments which GDPR calls ‘impact assessments’.  There’s one that GDPR says you have to do, and that’s a Data Protection Impact Assessment or a DPIA.  It needs to be done when there’s a likely high risk to individuals.

#6 Children

Children are specifically protected under GDPR, which sees them as vulnerable data subjects.  So, if you’re collecting their data, you need to make sure your privacy notices are written in an age-appropriate language and are easily understandable, you’ll need to age verify for certain services and that age which is 13 in the UK can vary across Europe up to 16, and it’s much harder to rely on legitimate interests when the data subject’s children that it is for others.

#7 Accountability

We’ve discussed Accountability already.  You need to be able to demonstrate your compliance status to the regulator and, because of that, others will ask – from the Board to your customers.  So this will include your Privacy Governance structure, your Privacy Framework, your policies and procedures, your DPIAs we’ve talked about, your Article 30 Records (see? stick around for that one- page index!) – Article 30 Records are the records of processing required to be kept under Article 30 by controllers and by processors.

#8 People

Last, you may need to appoint a Data Protection Officers, or ‘DPO‘.

This is a brand new requirement in the European law for a person to advise the controller or processor on its GDPR compliance.  It was there, for example, in German law before GDPR.  In summary:

  • if you’re public sector, you’ll need a DPO, but
  • if you’re private sector, you’ll only need a DPO if your core activities include large scale (1) regular and systematic monitoring of data subjects or (2) processing of special categories of personal data or data relating to criminal convictions and offences.

DPOs don’t have any liability under GDPR, that’s still with the controller and processor.  Do take a look at our videos on ‘Do I need a DPO?‘, ‘Who can be DPO?‘ and ‘What does a DPO do?

And, if you’re subject to GDPR and you’ve no establishment in the EEA, it’s likely you’ll need to appoint an EU Representative.  These aren’t there to advise like the DPO, they’re more of a post-box liaison point for controllers and processors who’d otherwise have no EEA presence.  They don’t have liability under GDPR either and don’t even count as an ‘establishment’ for GDPR, and that’s given a very broad definition.

GDPR & Processors

In another huge development, for the first time, processors have direct obligations and liability under the law, including:

  • to implement appropriate security measures,
  • restrictions on their use of sub processors,
  • liability for infringement of GDPR’s processor rules, and for processing that’s contrary to the instructions of the controller, and
  • to designate a Data Protection Officer and/or an EU Representative as required.

So there you go! That’s a quick summary of the huge law that is GDPR.

The link to the one-page index to GDPR is in the notes below -it’s a great cheatsheet when someone’s lording it over you with the ‘Article 24s this’ and ‘Article 83s’.  And you’ll see links to some excellent guides.

Take a look at our other blogs and videos, including ‘10 Steps to GDPR Compliance‘, and please do contact us to see how we can help you move your GDPR compliance out of the shadows into a revenue generator.

Do use #PRIVACYKITCHEN and let us know the topics and questions you want us to cover.

Stay well in the meantime and see you soon in Privacy Kitchen!

Links

Keepabl’s Quick Guide to GDPR’s Articles

GDPR itself!

The UK ICO’s Guide to GDPR

The UK Government’s Guide to GDPR

The European Commission’s Guide to GDPR

France’s CNIL’s Guides to GDPR

 

 

 


Related Articles

Privacy Kitchen
ISO 27001 is not GDPR

If someone says to you: ‘OK, we’ll get you GDPR compliant, we need to start you off with 27001‘ or they say ‘ISO 27001 is the standard for, or the…

Read More
Privacy Kitchen
DPOs Part 3 - What does a DPO do

What does a DPO do? Have you been made the Data Protection Officer or DPO at your workplace?  Don’t panic!  In the time it takes you to have a cup…

Read More