Can you remember the last Privacy Policy you read? Probably when you signed up for one of the many social media platforms where we all share personal information, contact details and photos of ourselves right? Or one of the cloud-based sharing platforms where we upload files, reports and other data? Given that the average Privacy Policy is around 2,500 words it’s not surprising that we tend to just assume companies will have our best interests at heart once they have our data. We just skim over a privacy policy or click ‘I agree and accept’ to their terms and conditions.
As more and more companies move into ‘data-driven’ marketing across digital, the use of personal information will clearly become more and more prominent. One such area we’re all probably very aware of is the use of cookies to personalise your online experience, with various pop-ups and other notices in use across pretty much all websites operating within the EU.
In line with the mounting use of personal data, it’s time to meet the newest acronym for businesses, the GDPR. 4 years in the making, GDPR will replace all previous data protection legislation dating back 20 years (including the Data Protection Act (DPA) 1998 in the UK) across all member states of the EU.
What does GDPR stand for?
GDPR stands for General Data Protection Regulation, a new EU regulation that details the requirements for those responsible for both the collection (data controller) and processing (data processor) of any ‘personal’ data. It covers everything from a name and email address to a photo or post on a social media site to bank details or a computer IP address. The level of data now classed as ‘personal’ is a key expansion of GDPR vs DPA.
Data controllers are defined as the entity who essentially details the reasons and requirements for processing the data as well as the means for doing so. The data processor is the entity responsible for processing the data on behalf of the controller.
Why is GDPR coming into force?
Well there are a couple of reasons for that. I mentioned two different services in the opening paragraph which show how much we openly share data on the internet and there are many more services which rely on us to pass over information in order to benefit from their use. I’m just going to go ahead and assume you’ve heard about the Cambridge Analytica business as well – people often share their data without truly understanding how it’s going to be used so GDPR steps in to make those uses really clear and easy to understand for individuals. If you haven’t heard about Cambridge Analytica, here’s a great read from Wired. And here’s our take on how our data is used to power algorithms, just for fun.
Basically, the world has already changed to be led by data. GDPR is just trying to get data processing practices caught up to that fact.
There is also a desire from the EU to make it very clear to member states (we’ll talk about Brexit next) of the legal environment which dictates their behaviour on holding this sort of data. As we, as individuals, share our data more and more outside of our home countries, GDPR provides a safety net to ensure the way our data is handled is aligned across the EU.
Who does GDPR apply to?
Essentially, any business that either holds or process’ any personal information from a user who resides in the EU, irrespective of where the business itself is located, subject to GDPR.
What about Brexit?
Good question. If you’re a business that deals with customers or holds data of users across countries within the EU, then GDPR will apply to you regardless of Brexit. If your business is solely UK-based then the answer is a little murky. Given the support to GDPR by both the UK Government and Information Commissioners Office, it’s likely that an equivalent that closely follows GDPR will be implemented for the UK.
Why GDPR is important
Some breaches of the GDPR carry a fine of up to 4% of global annual turnover or €20million while others, including failing to keep records, warrant a fine of up to 2% of global annual turnover or €10million.
A number of rights for users have been increased under the GDPR in comparison to DPA. The details around how personal data is going to be used now have to be specified and explicit with processing done in a fair and transparent manner. The collection of consent from users also has to be similarly explicit, which will mean changes to online customer journeys for a lot of businesses. A pre-ticked box or ignoring the issue simply won’t be accepted under the GDPR.
Of those increased user rights, an important one to consider is the ‘right to be forgotten’ – a phrase now more commonplace with certain search results being removed from Google’s index over the past 12 months. There are exceptions of course, such as data used in the defence of a legal claim. But if a data subject withdraws their consent or objects to the processing of their data then it will be required to be erased fully by all relevant data controllers in possession.
Interestingly there is now a requirement for data controllers to inform the Information Commissioners Office (and subsequently, any affected data subjects) where a data breach has occurred – something which was not a requirement under the DPA. With several high-profile data breaches happening in recent months, this will no doubt be a reassuring addition to data protection regulations for consumers.
When will the GDPR be adopted?
The GDPR was approved by EU Parliament back in April 2016, with enforcement across organisations required by 25th May 2018. Non-compliance would no doubt see offenders hit with substantial fines, highlighting the importance for businesses to begin taking steps to implement these changes as soon as they can
GDPR: Key Takeouts
- Following the 25th May 2018, GDPR will become the standard data protection regulation for any business who handles data of data subjects residing in the EU.
- All data must be processed in a way that is fair, lawful and transparent and collected for a specific, legitimate and explicitly stated reason with no further processing outside of these purposes.
- The definition of ‘personal’ data in the GDPR has been broadened to cover elements such as IP addresses, which were not covered in the DPA.
- Consent for the collection of personal data needs to be explicit and detailed – pre-ticked boxes or silence on how data will be used will likely constitute a breach of the GDPR.
- Fines for offending organisations could run to €20million in severe cases, a significant increase on the limits set out in the DPA.