The EU General Data Protection Regulation (GDPR) is “the biggest change to data protection law for a generation”. It’s not just us saying that – those are the words of the Information Commissioner, Elizabeth Denham.
Even though the GDPR is European legislation, Brexit will not diminish its impact in the UK. It will come into effect throughout the EU from 25 May 2018. At that point, the UK will still be a member of the EU, so organisations will need to comply and individuals will be entitled to benefit from the GDPR.
The primary objective of the GDPR is to provide one set of rules across the EU to protect how information about individuals is treated and transferred. These rules should make EU data protection laws fit for the digital age.
This article doesn’t provide a detailed commentary on the 99 Articles of the GDPR, but we have set out below some of the key points to be aware of – whether you want to know how your own personal information can be used, or need to understand how the GDPR will affect your business or company, or perhaps any charity or other organisations you might be involved with, which holds any personal information about individuals.
Organisations collecting and using personal information will have to give individuals more information about what happens to their personal details, and why, in a privacy notice. With increased awareness will come increased scrutiny. The GDPR is designed to make organisations more accountable for their use of personal information.
The GDPR ensures that individuals have clear rights to object to, or restrict use of, their personal details, or request the erasure of those details. These aren’t absolute rights; there are circumstances in which these rights won’t apply. But they are designed to give individuals more control over how their personal details are used.
It should also be quicker and easier to gain access to the personal details that an organisation holds on you. The timeframe for responding to an access request is being shortened to one month, and there will no longer be an automatic right to charge a fee for dealing with an access request. This clearly ties in with the theme of more visibility.
Organisations need to track data carefully
The GDPR requires organisations that collect, hold and/or use personal details to keep records of:
- The categories of personal details processed
- The categories of individuals whose personal data are processed
- The purposes for which those details are processed
- Who personal details are shared with
- Details of certain international data transfers
- Storage periods for the different categories of data held
- The technical and organisational measures to keep the data secure
More significant consequences for getting it wrong
The maximum level of fine for non-compliance with the GDPR will be €20 million, or 4 per cent of worldwide turnover if that’s greater. This is a significant increase on the current maximum of £500,000 and is intended to ensure data protection compliance moves up the risk agenda for many organisations. It is meant to make people sit up and take notice of data protection issues.
If you are involved with an organisation that will need to comply with the GDPR, then now is the time to prepare for its implementation.
And, finally, the GDPR is not the only enhancement to privacy laws on the horizon. A new EU ePrivacy Regulation has been proposed to tighten (among other things) the rules on marketing activities, with the default position being that all direct marketing to individuals by phone, text or email must have opt-in consent. The details of the changes are not hammered down yet, but the message from the EU on data protection and privacy is clear: Power to the People!