The General Data Protection Regulation (GDPR) is the biggest change to data protection law in a generation
Information Commissioner, Elizabeth Denham
From 25 May 2018, EU citizens will have greater control over how businesses collect and use their personal data, in a new set of regulations called General Data Protection Regulation (GDPR).
With now less than a year to get compliant, we’re writing a short article series called 'Understanding GDPR - and Beyond' to help you understand what GDPR is, how it impacts your business and what steps you can take to get compliant, but also to get inspired about the business opportunity it poses.
This week, we’re looking at the fundamentals of GDPR and what the impact on your business could be.
GDPR is a new piece of EU legislation which strengthens data protection for all individuals within the EU. It replaces the existing Data Protection Directive from 1995.
The goal of GDPR is to give individuals more control over their personal data and to simplify the rules for businesses using that data.
GDPR was adopted on 27th April 2016 and becomes legally enforceable from 25 May 2018.
Failure to comply with GDPR by this deadline could result in strict financial penalties of a maximum of €20 million or 4% or annual global turnover – whichever is higher.
It’s important to note here that the current Brexit discussions will not impact on the implementation of GDPR. The 2018 deadline will arrive before Brexit can take place, and any future UK data regulations will likely mirror GDPR very closely.
Personal data is any type of data that could be used to identify an individual.
Under GDPR, the definition of personal data has been expanded to include a wide range of personal identifiers, to reflect how technology has changed and how people use their data.
GDPR extends personal data to cover:
“Any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
Practically speaking, this refers to:
It will also now refer to online personal identifiers, such as:
Some example systems applicable may include:
Remember, these rules will apply to both automated or written files and records.
GDPR will now apply also to special categories of personal data which could reveal sensitive information about an individual that would indicate their:
Biometric and genetic data is also covered.
GDPR will be applicable to any type or size of business which handles the personal data of citizens based in the EU.
If you use gather or use the personal data of your customers or clients, you will fall into one or both of these categories; data controller or data processor.
The reality is, virtually all businesses use or handle personal data, whether customer or employee.
If you currently observe Data Protection laws, then GDPR applies to your business.
It’s important to bear in mind the overarching goals of GDPR when planning for compliance.
The goal is to give citizens control over their personal data, not to punish businesses.
The expansion of digital technology expansion is leading to a proliferation of data generation, and we need a framework to manage it.
With high profile data breaches occurring almost weekly, people are understandably nervous about how and where their data is used.
GDPR should help businesses and the people who use them develop a more trusting relationship built on transparency and respect, one that actually helps businesses find and retain customers.
Building trusted relationships with the public will enable you to sustainably build your use of data and gain more value. Through changing their data handling culture, organisations can derive new value from customer relationships.
Steve Wood, ICO Deputy Commissioner for Policy