Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1955 EU Data Protection Directive, but this will be suspended by the new legislation. It will introduce fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
The EU wants to give people more control over how their personal data is used, bearing in mind that companies such as Facebook and Google swap access to people’s data for use of their services. The current legislation was enacted before the internet and cloud technology created new ways of exploiting data, and the GDPR seeks to address that. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy.
The EU also wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market. The EU estimates this will save businesses a collective €2.3 billion a year.
The GDPR will apply in all EU member states from 25 May 2018. Because GDPR is a regulation, not a directive, the UK does not need to draw up new legislation – instead, it will apply automatically. While it came into force on 24 May 2016, after all parts of the EU agreed to the final text, businesses and organisation have until 25 May 2018 until the law actually applies to them.
Who does GDPR apply to?
Controllers and processors of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So, the controller could be any organisation, from a profit-seeking company to a charity or Government. A processor could be an IT firm doing the actual data processing.
Even if a controller of processer and based outside of the EU, the GDPR will still apply to them if they are dealing with data belonging to EU residents.
It’s the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
10 things you and your business should know about GDPR:
- The definition of personal data is now much broader and will include identifiers such as: genetic, mental, cultural, economic and social identity.
- The regulation is also applied to non-EU companies that are processing personal data of individuals in the EU.
- Parental consent is required for the processing of personal data of children who are under the age of 16.
- Controllers must report a data breach no later than 72 hours after becoming aware of the breach, unless the breach has a low risk to the individual’s rights.
- If you breach the GDPR law, you can face tough penalties, including fines up to 4% of annual global revenue or €20 million, whichever is greater.
- Obtaining consent for processing personal data has to be clear, and must seek affirmative response.
- Data subjects have the right to be forgotten and erased from all records.
- Users may request a copy of personal data in a portable format.
- The appointment of a data protection officer (DPO) will be compulsory for companies who process high volumes of personal data.
- Privacy risk impact assessments will be required for projects where privacy risks are high.