GDPR: what it is and what you should be doing to prepare

A simple explanation of the GDPR

What is the GDPR?

Coming in the 25th of this month, the General Data Protection Regulation (GDPR) will be in effect. The new law doesn’t apply to EU based companies only - it affects any business with data belonging to EU citizens and people living in the EU.

The GDPR will give individuals the “right to be forgotten”. This means that companies will face fines up to millions of Euros if they don’t comply.

A new set of rules regarding privacy and security of personal information will soon be in place. The law was designed to replace the outdated 1995 Data Protection Directive and to align data protection laws across the EU.

What does it mean?

For individuals:

 Control over their personal information - anyone can request a company to permanently delete all data related to them.

 Ask for a copy of all information collected about them over the years and object to that data being processed.

 It’ll be easier to transfer data from one service to another. 

For companies:

 Fines for not complying - depending on which is greater, it can be: 20 million euros or up to 4% of the annual worldwide turnover.

 Under the GDPR are all companies that:

        monitor data from people in the EU provide services or goods to the EU (even if free or based outside the EU)

        process data outside the EU and have an “establishment” in the EU

8 things you should be doing to prepare for the GDPR

1. Prepare for data security breaches

2. Establish a framework for accountability

3. Embrace privacy by design 

4. Analyse the legal basis on which you use personal data

5. Check your privacy notices and policies

6. Bear in mind the rights of data subjects

7. If you are a supplier to others, consider whether you have new obligations as a processor

8. Cross-border data transfers

Source: Allen & Overy

Personal data and Consent

Personal data is defined as “any information relating to an identified or identifiable natural person ‘data subject’; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”

So, any information that is sensitive (religious beliefs, sexual orientation, etc) and pseudonymized is under the new regulations. The GDPR does not cover anonymous data.

Businesses need consent from consumers to collect information. It must be “freely given, specific, informed and unambiguous” and displayed by clear actions.

But consent has its limitations:

 Can’t be given under unfair terms

 Different types of data have separate types of consent (an all or nothing option is not allowed)

 If the consumer can’t freely give it and can’t refuse without detriment

 Consent is invalid:

         On contracts (terms of use are included) that don’t require personal information to function - “free” apps and services that monetise personal data to cover costs will be affected

             When there’s an imbalance in power between the subject and the controller

Measures you need to take

A set of guidelines by the Information Commissioner’s Office (ICO) in the UK was released to help businesses prepare for the GDPR.

Many of the principles of the Data Protection Act from 1995 are still the same. If you are abiding by them, you’re probably already covered, according to ICO.

Review your business's privacy notices and make the necessary changes according to the GDPR. You have to inform people what information you collect, what you do with it and how long will you keep it.

Businesses have to create documentation to enforce the GDPR internally - this needs to be presented if they have a complaint as well. Data breaches and its investigations have to be documented.

All the data you hold is to be documented - where it came from and who you share it with. If there are inaccuracies, you have to report it to who you share it with, so they can correct their records.

The lawful basis to processing personal data needs to be documented and explained in your privacy notice.

Every company has to determine what measures are acceptable. They have to perform a risk assessment to ensure the security measures match the risk of breaches of data and the harm on the data subjects.

Once you receive a request to access information, you have one month to answer it and, in most cases, can’t charge for it.

In the case of children, you need parent or guardian consent to process data. To any child younger than 16, you need parental consent.

Privacy by design is legally required by the GDPR. DPIAs (Data Protection Impact Assessments) or PIAs (Privacy Impact Assessment), are mandatory in certain circumstances. It is required where:

 a new technology is being deployed;

 a profiling operation is likely to significantly affect individuals;

 there's processing on a large scale of the special categories of data. 

Each country is responsible to enforce the new regulations. To enforce the GDPR, the regulator from the company’s headquarters has to pursue legal action.

Regulators can intervene if they think another is being too lenient.

There is more here if you want to know.

It needs to be noted that we are not lawyers and you shouldn’t rely on this post (or any blog post) for legal advice.