On May 25, internet and tech companies that handle user data of any sort will have a new legal provision to comply with. The General Data Protection Regulation or the GDPR is a new law that will come into force in the European Union later this month.
What does GDPR do?
GDPR enshrines data protection and privacy rights for European users and holds companies handling data, wherever they may be, liable for violations. Complying with GDPR is vital. Any business found not sticking to the rules could be charged fines of up to €20 million or 4% of the company’s global annual turnover, though the toughest fines will be reserved for the worst data breaches or data abuse.
What does the GDPR say?
The EU law comes into force on May 25, and decrees that consumers or data subjects have right to erasure of their data and a right to port their data from one place to another. It also places a premium on the data subjects’ consent to collection and processing of data. Although the law is being introduced in the EU, its ramifications extend the world over. That is because it is not focused on regulatory measure for tech companies, but rather on protection of EU citizens and their data. Since internet and tech companies the world over handle data from across the globe, the consequences of breaking the law extend to them. The law was introduced in 2016, with data controllers and processors the world over given two years, until this year’s May deadline to comply.
‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU residents.
It’s the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
Why was GDPR drafted?
The GDPR was created to regulate how businesses use data, ensuring it’s the same across the entire EU. Although it will apply to smaller businesses as well as large corporations, recent stories, such as the Cambridge Analytica scandal, have demonstrated how big organisations such as Amazon, Google, Twitter and Facebook are not strictly complying to a single set of rules.
What is consent under GDPR
Once the legislation comes into effect, controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
Consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs.
Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want. If your current model for obtaining consent doesn’t meet these new rules, you’ll have to bring it up to scratch or stop collecting data under that model when the GDPR applies in 2018.
What is personal data under GDPR?
The EU has substantially expanded the definition of personal data under the GDPR. To reflect the types of data organisations now collect about people, online identifiers such as IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, are also considered personally identifiable information.
- Personal Data
- Anything that can be used to identify a person directly or indirectly
- Photo, Email address, name, physical address and online identifiers, IP address, email address, web cookie, location data i.e. GPS coordinates
- Sensitive Personal Data
- Genetic data, biometric data, health information, political beliefs and associations, religious beliefs and associations, sex life.
- Criminal history is the most tightly controlled
Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is. Anything that is categorised as personal data under the Data Protection Act also qualifies as personal data under the GDPR.
What are GDPR individual data rights?
Right to access
People have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for, and who gets to see it. Where possible, data controllers should provide secure, direct access for people to review what information a controller stores about them. They can also ask for that data, if incorrect or incomplete, to be rectified whenever they want.
Right to erasure (right to be forgotten)
GDPR makes it clear that people can have their data deleted at any time if it’s not relevant anymore – i.e. the company storing it no longer needs it for the purpose they collected it for. If the data was collected under the consent model, a citizen can withdraw this consent whenever they like. They might do so because they object to how an organisation is processing their information, or simply don’t want it collected anymore.
Right to portability
Citizens can expect you to honor such a request within four weeks. Companies must ensure people’s data is in an open, common format like CSV, meaning that when it moves to another provider it can still be read.
Right to rectification
Citizens shall have the right to obtain from the company without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, citizen shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.