What is GDPR

What is GDPR?

The General Data Protection Regulation (GDPR) is a binding legislative act created by the European Union (EU), which is intended to address the inconsistencies in current data protection laws. Therefore, these regulations will replace the UK’s Data Protection Act 1998, and the equivalent laws across all other European states.

When does it come into effect?

From 25th May 2018, all companies collecting data from EU citizens will have to comply with the new GDPR regulations.

What information does GDPR apply to?

The two types of data that the GDPR is specifically concerned with are Personal Data and Sensitive Personal Data.

Personal Data: any information relating to an identifiable person who can be directly or indirectly identified through that information. The pieces of information that identify those people are referred to as ‘identifiers’, which include name, identification number, location data or online identifiers (e.g. IP address). Even data that has been pseudonymized may have to comply with GDPR regulations depending on the difficulty of attributing that data to an individual.

Sensitive Personal Data: these categories of data include genetic data, and biometric data that can be used to identify an individual. Personal data relating to criminal convictions and offences are not included within this category, but there are similar safeguards in place concerning the processing of that data.

Who does the GDPR apply to?

There are two parties that will have to comply with these new regulations; Data Processors and Data Controllers. To fully understand how these parties need to comply, we should first define a few terms:

  • Data Controller: person(s) who determine the purposes and means of processing personal data.
  • Data Processor: person(s) who process the data on behalf of the data controller.
  • ‘Processing’: obtaining, recording, holding, or erasing data.
  • Data Subjects: person(s) from whom the data/ information is collected.

Data Processors have specific legal obligations to maintain records of personal data, and the activities involved in processing that data. Processors can be held liable if they are responsible for a data breach.

However, there is a legal burden on Data Controllers to ensure that their contracts with processors comply with the GDPR regulations. All parties are expected to justify the purpose for which they are controlling or processing data.

Data Retention Period

Organizations must also provide information concerning how long they intend to retain data taken from subjects.

What does Brexit mean for GDPR?

As you likely know, the UK voted in a referendum to leave the EU, and so you may think that these regulations will not apply to British companies. This is not the case, as anyone who intends to collect data from EU citizens will have to fully comply with the GDPR, regardless of whether they are an EU member.

If you only intend to operate within the UK, the position is slightly less clear. However, an equivalent law is currently being discussed by the UK government that may be largely based on the regulations set out by the GDPR.

Why complying to GDPR is essential

Organizations can be fined up to 4% of annual global turnover, or a maximum of €20 Million, for breaching the GDPR. These penalties apply to both Data Processors and Controllers, and so ‘Clouds’ will not be exempt from GDPR enforcement.

Obligation of Data Controllers and Processors

There is a legal obligation for Controllers and Processors to notify their selected lead data protection agency within 72 hours of discovering a data breach.

They must also notify those affected by the data breach without undue delay. Failure to do so will result in a penalty appropriate to the level of the breach, or the negligence of the organization.

Data Protection Officers

Under these new regulations, an organization must appoint a Data Protection Officer if they:

  1. are a public authority
  2. carry our large scale systematic monitoring of individuals
  3. carry out large scale processing of sensitive personal data, or data relating to criminal offences and convictions.