GDPR, Even After Brexit
Disclaimer
This legal information is not legal advice, and we recommend that you consult a legal professional if you’d like advice on this subject.
What is GDPR?
The General Data Protection Regulation is a set of rules designed to modernise laws around the use of personal digital information by organisations in the EU. They came into force on May 25th, 2018.
Who does it apply to?
Organisations located within the EU, and organisations outside the EU that process data relating to EU citizens. It applies to the processing of personal data that is:
- 'wholly or partly by automated means', or
- not the result of automated processing but which is intended to form part of a 'filing system'. What is a filing system? Good question...
What are the fines and who imposes them?
Up to €20 million, or 4% of annual turnover - whichever is greater.
In the UK they are imposed by the Information Commissioner's Office (ICO), and they are discretionary and imposed on a case-by-case basis. The ICO has made it clear that fines are a last resort. In the first year there were over 200,000 reported GDPR breaches and only €56 million in fines were handed out, Europe-wide. €50 million of that was a single fine paid by Google in France. We can infer that the authorities are, for now, willing to provide a lot of leeway so long as organisations get on board with the general principles of the regulation.
But will we still need to be on board after Brexit?
If UK businesses want to continue to process data on EU citizens post-Brexit, then the UK has to demonstrate that its data protection rules are roughly on a par with the GDPR. To that end the British government has instituted the Data Protection Act 2018, which is basically equivalent to the GDPR. Brexit won't have much of an effect when it comes to data.
What are the core principles?
The principles of the GDPR that I mentioned above are as follows (using some of the language from the Information Commissioner's GDPR documentation):
These principles represent the spirit of the GDPR, and you should keep them in mind at all times. By the lack of fines thus far, the regulators have implicitly acknowledged how onerous it is for any organisation to become completely GDPR compliant. But they do want you to recognise these principles, and make an effort to adopt them.
Some key definitions
Personal Data
GDPR applies to personal data only. 'Personal data' means any information about a living person, where that person is identified from the information, or may be identified by 'reasonable means'. In other words, even if the information does not contain the person's name, if it's possible to deduce the person's identity from the information then it is personal data.
For personal data to come under GDPR, however, the data must 'relate' to the individual. This is a slightly nebulous term, and you must use your judgement. Is the data directly about the individual or their activities? Will processing the data have some impact on the individual? If so, then it relates to them.
Sometimes it will be difficult to determine if data is 'personal data'. In those cases GDPR asks that you simply takke care with the data, and especially take care to store it securely.
Finally, some types of personal data are considered especially sensitive and are subject to additional protection under GDPR. You must not process this data unless specific requirements are met. These special categories of data are:
- personal data revealing racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data processed to uniquely identify a person
- data concerning health
- data concerning a person’s sex life or sexual orientation
Processing
'Processing' simply means using personal data in any way. E.g. collecting, storing, consulting, sharing, erasing, analysing. But only processing by organisations for organisational purposes comes under GDPR. GDPR does not apply to processing for purely personal or household activities.
Rights of individuals
What do I need to do to comply?
From a high level, you need to keep in mind the 7 core principles of the GDPR that we mentioned above, and the 8 individual rights that we also mention above. Simple! But let's get into specifics...
What do I have to do at the point of collection?
At the point of data collection you must inform the data subject of how you are handling their personal data. You can do this by simply requiring that the subject reads and accepts your privacy policy before you collect his or her data. Your privacy policy should describe the 'lawful basis' under which you are collecting their data, and the purpose for which it is being collected. We explain lawful bases below. Like all the information you present to individuals regarding their data privacy, the privacy policy should be 'concise, transparent, intelligible, easily accessible, and it must use clear and plain language'. See termsfeed for a privacy policy generator. (Again, I stress, everything in this article is simply for your information and does not constitute legal advice :))
What do I have to do after collection?
Even having obtained personal data under a valid lawful basis, you must only store the data for as long as is necessary in order to fulfil the purpose for which it was collected.
You must adopt 'appropriate technical and organisational' measures to secure the data. If you have in-house IT people then you should rely on them to implement appropriate technical measures. If you don't have that in-house expertise then we recommend that you avail of a reputable cloud-hosting provider to store the data, e.g. Amazon Web Services. They can take care of the technical measures for you. Alongside the technical measures you should make sure that all organisational members observe sound IT security best practices. Also, where possible data should be anonymised or pseudo-anonymised. You may need expert help for this.
According to the rights of individuals outlined in a previous section, any member of the public may make a request to your organisation in order to exercise a right. E.g. they may request a digital copy of all of the personal data that you have that relates to them. This falls under the rights to access and data portability. It is also covered by the principle of transparency. You must respond to any such request within one month.
If you have 250 or more employees, you must document all of your personal data processing activities. If you have fewer than 250 employees you only have to document processing activities that
- are regular ('not occasional'),
- could result in a risk to the rights and freedoms of individuals, or
- involve the processing of sensitive data
When documenting, you must document
- the name and contact details of your organisation
- the purposes of the processing
- a description of the categories of individuals and categories of personal data
- who is receiving the personal data (third parties)
- details of transfers of personal data to other countries including details of the safeguards in place
- until when the data will be retained
- your technical and organisational security measures
If there is a data breach within your organisation you may need to contact the Information Commissioner's Office (or the equivalent authority in your country). First, establish of there is a risk to any individual's rights or freedoms due to the breach. If so, you must notify the ICO within 72 hours. If you decide that you don't need to contact the ICO then you must be able to justify that. Therefore you should document everything you may need in order to justify the decision. In fact, you must document all data breaches, whether or not you report them. If a breach is likely to result in a high risk to the rights and freedoms of individuals, then you must notify those individuals 'without undue delay'.
The End!
So there you go! This is a 10,000 foot view of GDPR. It is not exhaustive, and it is NOT LEGAL ADVICE. I encourage you to dive into the links provided if you want more detail. However, the most important thing in my opinion is that you are aware of the principles of the legislation. Regulators have demonstrated that an honest effort to abide by these principles will be enough for now.