It’s so easy to get stuck in the weeds on GDPR. So we’re going to take a high-level look at ‘What is GDPR?’, why it came in, and the huge changes its created, focusing on the differences to the 1998 UK Data Protection Act and the 1995 EU Data Protection Directive.
Stay with us as we’ll put up a link to download a neat one-page index to GDPR’s articles at the end – really handy when people are rattling off ‘Article 6 this’ and ‘Article 28 or 30 that’. And we’ll link to some great guides on GDPR.
And you can watch our FREE video: ‘What is GDPR?’, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy. If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.
Well, the old EU law was a Directive which had to be implemented by each Member State separately. While the Directive’s intention was to harmonise the law on data protection and remove bumps in the road to the single market, it was implemented quite differently throughout the European Economic Area (‘EEA’). Organisations operating in more than one Member State found it hard to address and manage compliance. And the significant technology advances since 1995 also put pressure on lawmakers to update the legislative landscape.
GDPR took effect 25 May 2018 and tries to harmonise those laws and practices because, as a Regulation, it’s direct law throughout the European Union (‘EU’) and the EEA. There’s no need for any Member State to implement GDPR, it’s already there.
Every area pre- GDPR is still there, just more so, and there are key new areas. So we’ll concentrate on the differences to the old law.
GDPR massively increased the maximum fines in the UK from £500,000 to €20 million euros or 4% of global turnover if higher. If those huge potential fines aren’t reason to comply, here are two reasons that key surveys say are often bigger.
So, talking of outside Europe, when does GDPR apply to you? And by ‘you’ we’re really talking about organisations, although it will also apply if you’re an individual processing personal data outside of normal personal or household activity.
If you’re established in the EEA, GDPR clearly applies to you and everything you do with personal data. Simple.
If you’re outside the EEA, in the USA for example, GDPR can still apply to you if you fall into one of three main buckets.
For completeness, there’s a rare fourth bucket, where GDPR applies because of public international law – so, for example, a consular post.
Personal data is essentially the same under GDPR as the old law, but GDPR makes clear just how broad that definition is and it adds genetic and biometric data to ‘special categories’.
So ‘personal data’ is still any information relating to an identified or identifiable living person – the data subject – and they can be identified directly or indirectly, so, by that information or in combination with other information. Basically anything that directly or indirectly identifies or could identify a person, alone or with other information.
GDPR’s still a principles-based law. The first 6 principles were already there in the UK’s 1998 Act, so we’ll just list them here and then look at the big change: Accountability, the Seventh Principle.
Accountability means that ‘the controller shall be responsible for, and be able to demonstrate compliance with‘ the first 6 Principles.
In particular, this means being able to demonstrate your compliance – and that’s not always easy. If you don’t have things written down, on paper or digitally in a solution such as Keepabl, there’s no way you’ll be able to do this. Fines are also coming through on this aspect too, and it’s something regulators are focusing on.
GDPR’s first principle is about lawfulness and, for your processing to be lawful, you’ve got to identify which of the 6 lawful grounds – or legal bases – applies before you process that personal data. Again, all were there in the 95 Directive and in the UK’s 98 Act, so we’ll focus on key changes.
Consent, the grand old dame of Privacy got new teeth and, as a result, it’s dropped from number 1 to number 4 in the charts. You now need to keep detailed records and you may need separate consents for different purposes. Importantly, you can’t use it where there’s no real choice about giving that consent – so, in most employment situations and when dealing with public bodies.
It’s definitely not the consent you knew under the 98 Act.
The new old kid on the block is ‘necessary for your legitimate interests’. GDPR gives examples here, including ensuring network and information security, and even direct marketing. But there’s some controversy around how far you can push legitimate interests, and you also need to consider the interaction of the e-Privacy rules, which, for example, dictate consent for many cookies. And public authorities can’t use this in carrying out their duties.
And just as before, if you’re wanting to process special categories of data or personal data related to criminal convictions and offences, you’ll need one of the 6 grounds, plus one of the additional grounds particular to the type of data.
Let’s look at eight key changes for controllers under GDPR.
Requirements on privacy notices, the information you provide to data subjects about what you collect and what you do with it, have become stricter. So you do need to update your old ones to meet GDPR’s requirements, and you’ll have seen this in particular around cookie notices.
A bigger change is when you use processors. What used to be a little bit of due diligence and a paragraph in contracts has become much more extended due diligence, including sub-processors, and a multi-page Data Processing Addendum. Happily, these have become pretty common.
A huge change is Breach Notification: every controller’s now legally obliged to notify personal data breaches to the authorities within 72 hours of becoming aware of them, unless there’s unlikely to be a risk to the individuals, and to notify the effected individuals if there’s a likely high risk to them.
This is huge because, before GDPR, basically only ISPs and Telcos had to notify breaches. Now it’s everyone and there’s a 72 hours requirement.
Existing Data Subject Rights or DSRs were so strengthened and joined by a couple of new ones, it’s worth calling it a new area. Individuals, or ‘data subjects’, can ask for access to the data you have on them, correct it and erase it, just like they could before, but they can also now port it to someone else, restrict your use of it and object on broader grounds to your using it.
Some requests, you’ve got no choice but to comply – for example, withdrawing consent for using their data for marketing. Others are subject to certain conditions, so you need to ensure you get that right and have a team trained on how to deal with them.
GDPR now means you have to implement ‘Data Protection by Design‘ and ‘Data Protection by Default‘. What that means is incorporating data protection principles from the start of any project – that’s the ‘by design’ bit – and ‘by default’ ensuring that they’re your default setting across the board.
Your Privacy policies and procedures will help you here, including your risk assessments which GDPR calls ‘impact assessments’. There’s one that GDPR says you have to do, and that’s a Data Protection Impact Assessment or a DPIA. It needs to be done when there’s a likely high risk to individuals.
Children are specifically protected under GDPR, which sees them as vulnerable data subjects. So, if you’re collecting their data, you need to make sure your privacy notices are written in an age-appropriate language and are easily understandable, you’ll need to age verify for certain services and that age which is 13 in the UK can vary across Europe up to 16, and it’s much harder to rely on legitimate interests when the data subject’s children that it is for others.
We’ve discussed Accountability already. You need to be able to demonstrate your compliance status to the regulator and, because of that, others will ask – from the Board to your customers. So this will include your Privacy Governance structure, your Privacy Framework, your policies and procedures, your DPIAs we’ve talked about, your Article 30 Records (see? stick around for that one- page index!) – Article 30 Records are the records of processing required to be kept under Article 30 by controllers and by processors.
Last, you may need to appoint a Data Protection Officers, or ‘DPO‘.
This is a brand new requirement in the European law for a person to advise the controller or processor on its GDPR compliance. It was there, for example, in German law before GDPR. In summary:
And, if you’re subject to GDPR and you’ve no establishment in the EEA, it’s likely you’ll need to appoint an EU Representative. These aren’t there to advise like the DPO, they’re more of a post-box liaison point for controllers and processors who’d otherwise have no EEA presence. They don’t have liability under GDPR either and don’t even count as an ‘establishment’ for GDPR, and that’s given a very broad definition.
In another huge development, for the first time, processors have direct obligations and liability under the law, including:
So there you go! That’s a quick summary of the huge law that is GDPR.
The link to the one-page index to GDPR is in the notes below -it’s a great cheatsheet when someone’s lording it over you with the ‘Article 24s this’ and ‘Article 83s’. And you’ll see links to some excellent guides.
Take a look at our other blogs and videos, including ‘10 Steps to GDPR Compliance‘, and please do contact us to see how we can help you move your GDPR compliance out of the shadows into a revenue generator.
Do use #PRIVACYKITCHEN and let us know the topics and questions you want us to cover.
Stay well in the meantime and see you soon in Privacy Kitchen!