What is the GDPR?
Following on from our September blog, here is a recap about the upcoming General Data Protection Regulation (GDPR).
The GDPR comes into force on 25th May 2018. It is not a new regulation but instead a required evolution to the existing Data Protection Act. It gives additional protection for individuals and their data, providing greater transparency and control over where their data is saved and how it’s used. The UK’s data regulation regulator, the Information Commissioners Office (ICO), gives guidance on what the new law means for organisations and how they can become compliant.
The GDPR opportunity
The GDPR presents an opportunity for organisations to create relationships with customers and prospects that are more transparent and trust based.
Consumers have growing concerns about handing over personal information to organisations and the associated risks (having their private information stolen by criminals, receiving nuisance calls and spam or having their data sold on to third parties for marketing purposes without their knowledge). The GDPR seeks to allay this distrust and presents an opportunity for organisations to build improved relationships with their customers by positively embracing the new powers that the law gives consumers.
The GDPR also provides an opportunity for organisations to truly embrace data protection as a brand differentiator engendering better, more trusting relationships with consumers. These transparent relationships, in which brands are respectful of privacy and data protection, enable organisations to be more upfront and honest about what information they would like to receive from a customer or prospect and what they intend to do with it.
Who does the GDPR apply to?
The new law applies to ‘controllers’ and ‘processors’ of data. A controller is responsible for how and why the data is processed, while the processor acts on the controller’s behalf.
- If you are a processor, the GDPR places specific legal obligations on you. For example, you are required to maintain records of personal data, as well as processing activities, and you will have significantly more legal liability if you are responsible for a breach. Obligations for processors are a new requirement under the GDPR.
- If you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
What information does the GDPR apply to?
The GDPR applies to Personal Data - meaning any information relating to an individual who can be directly or indirectly identified. The definition provides for a wide range of personal identifiers to constitute personal data including but not limited to: name, identification number, location data or online identifier. The GDPR applies to both automated personal data, and to manual filing systems in which personal data is accessible according to specific criteria.
The GDPR key points
- Lawful Processing
The ICO offers clear guidance on how to be GDPR compliant. Organisations must identify which of the six legal bases for processing personal data they are using and document it.
Under the GDPR’s definition of consent, there are two new points (highlighted in bold) for organisations to consider:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
The ICO’s guide to consent provides a list, which elaborates on this definition.
- Legitimate Interests
Some organisations may wish to explore whether legitimate interests are a more appropriate legal basis upon which to process personal data for specific purposes.
A wide range of interests may be legitimate interests. They can be your own interests or the interests of third parties and commercial interests as well as wider societal benefits. They may be compelling or trivial but trivial interests may be more easily overridden in the balancing test.
How can I plan for compliance?
The ICO has produced a 12-point guide to what organisations need to do to prepare for the GDPR – from raising awareness at every level within a company to auditing data and establishing a legal basis for processing and storing personal information. If you want to learn more, please contact BTA.