With the General Data Protection Regulation (GDPR) now in force, it’s necessary for businesses, employees and individuals (data subjects) to get to grips with what this means for you and how you handle and share personal data.
GDPR is legally binding and will apply across the whole of the European Union (EU) to businesses based, and businesses operating, in this region. Therefore, it will continue to apply to many UK businesses after Brexit and will also apply to many businesses based outside of the EU. This has been confirmed by the UK government.
Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
The regulation came into practice in the UK from 25 May 2018.
What is GDPR?
The General Data Protection Regulation is a European Regulation that will set new data handling and managing standards, in order to provide more rights to individuals, make data protection more consistent across borders and to make businesses more accountable for how they manage personal data.
It is the most important change in data protection privacy regulation in 20 years and replaces the Data Protection Directive 95/46/EC.
For more information about the legislative process, click here.
The definition of personal data under GDPR is “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”.
“Personal Data is name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. If we focus on online identifiers, we can see that IP addresses, cookies, mobile IPs and even search engines will fall into scope of GDPR.”
In other words, anything that enables an individual to be identified falls under the category of personal data.
Why is GDPR being introduced?
Since the last directive was established in 1995, the world has become increasingly data-driven. The Economist stated in May 2017 that “the world’s most valuable resource is no longer oil, but data”.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches within this context, and to make data controllers (people deciding how data is processed) and data processors (people and organisations processing data on behalf of the data controller) more accountable for their actions.
In some areas, GDPR will create new rights for individuals, whilst also strengthening some of the existing rights people have under the Data Protection Act. Key changes include:
- Increased territorial scope – the legislation will apply to all businesses and individuals operating in or living in the European Union, even if data is not processed within the European Union.
- Penalties – organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
- Consent – strengthened condition of consent mean a positive opt-in is required. Pre-ticked boxes and other methods of consent by default are not permitted. It must be as easy to withdraw consent as it is to give it.
- Notification and legal processing – data controllers must pay a fee to the Information Commissioner’s Office (ICO) to fund its data protection work, and data processing can only legally take place after the organisation has assessed the impact of processing on the data subject.
- Breach notification – breach notifications will be mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. Breaches must be reported to the ICO within 72 hours of first becoming aware of it. Data processors must inform data controllers and data subjects as soon as they are aware of a breach.
- Right to access – data subjects will be able to request from data controllers whether their data is being processed, and what for. They can also request a free electronic copy of any of their stored personal data, which must be provided.
- Right to be forgotten – data subjects can request erasure of their data, as long as it is not deemed to be within the public interest to keep it. If the person is not entitled to erasure of the content, they may be entitled to restrict the way it is processed.
- Data portability – data subjects have the right to receive their own personal data which they have previously provided, and to transmit that data to another controller.
- Data Protection Officers (DPO) – for some organisations this will be a mandatory requirement, and for all businesses there will be internal record keeping requirements. More about these can be found out through the ICO.
What does GDPR mean for you and your business?
GDPR is going to completely change the way that marketers have to think about data. In short, consent must be given and not assumed.
Marketers will have to demonstrate that data was lawfully obtained in a way that was intended for processing in a particular way. In other words, if you have obtained data through a campaign it can only be used for that purpose – it cannot be used in any other way without further consent from the data subject.
Many businesses have grown databases using methods which do not comply with these standards, therefore they will have to be cleansed to ensure that they can prove data is being used, and has been obtained, legally and legitimately with full consent.
The easiest way to do this is to have unambiguous opt-in boxes for different types of data processing. This way your proof of consent will be easy to report to regulators.
It is also important to ask yourself whether you really need to know the information you’re asking for. Many marketers ask for extra, nice-to-know information when collecting data. However, GDPR requires you to legally justify the processing of the personal data you collect.
Avoid collecting unnecessary data and stick to the basics.
And finally, what is Facebook’s commitment to the GDPR?
In a recent article they state that data protection is central to Facebook and their family of app’s services. Their GDPR preparations are well underway, and they are hiring a Data Protection Officer as required by the GDPR. Read more about it here.