What is General Data Protection Regulation?
If you’re a business owner, you’re likely to have heard a lot of talk recently regarding GDPR (General Data Protection Regulation), there has been a lot of speculation and confusion out there surrounding what GDPR is and what it will mean for business owners.
GDPR stands for General Data Protection Regulation. It is a new set of rules being put in place on May 25th 2018 by the European Union (EU) and as such, all EU countries will have to follow these regulations by the enforcement date. For EU businesses this is very important as these guidelines are being put in place to regulate what businesses/companies can do with public data and how they are allowed to collect it.
In this article, we will explore exactly what regulations will be put into place with the implementation of GDPR, what they mean for you, what the repercussions of breaching regulations will be and how you can ensure that your business is compliant.
What Types of Data Does the GDPR Act Regulate?
GDPR regulates how you collect and use two types of data:
- Personal Data – Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. *
- Sensitive Personal Data – Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. *
(*Legal Definition)
Which New General Data Protection Regulations Affect My Business? – A GDPR Checklist
There are a few main ways in which the General Data Protection Regulation act differs from the Data Protection Act. If you are already compliant with current data protection laws, these are the new things that you’ll need to consider:
- Consent – You must always have clear consent from an individual in order to use their personally identifiable information (PII). This consent must be positive and unambiguous. You must not allow somebody the opportunity to accidentally opt-in by using leading tactics such as pre-ticked opt-in boxes and other similar methods.
- Data Protection Officers – For many companies, it will become mandatory that you have a data protection officer in place. This applies to you if you have 250+ staff members, if you are a public authority, if you deal with sensitive data or your main focus is data.
- Individual Rights – The new GDPR regulations have a strong focus on strengthening the rights of individuals, individuals must now be made aware of a breach of their data within 72 hours of the breach occurring. They must also be given the right to have their data deleted, ported or to have the usage of it restricted. You should also ensure that you’re only collecting personal data when it is necessary for the benefit of the individual or in order to fulfil a contract between you and the individual.
- Fining – The maximum fine for a breach is now either €20 million or 4% of your annual turnover, depending on which figure is largest.
- Documentation – It is now going to be vital that you keep evidence of all your data protection systems and activities. You must be able to provide proof via documentation that you have taken the necessary steps to assess data breach risks and prevent a breach from occurring. You will also need to have evidence showing what you’re doing with personal data, how you’re handling it and that you have clear consent to hold and use all personal information within your systems.
- Liability – GDPR rules state that all parties involved with handling, transferring and/or using an individual’s data are responsible to take liability for that data. This means that if you are receiving an individual’s data from a third-party, you must ensure that they properly received consent for that data and handled it correctly.
Will GDPR Still Apply to the UK After Brexit?
Simply put, yes, the new data protection regulations put in place by the EU will still apply to those in the UK after leaving the European Union unless the UK government decide to opt-out of or alter any of the existing GDPR regulations.
Conclusion
As stated above, GDPR regulations are similar to the Data Protection Act that is already in place, only with several new regulations to consider if you’re a business owner. If you already abide by the current data protection laws, you’ll only need to follow these new additional rules in order to ensure that you’re compliant with the General Data Protection Regulation act.
Disclaimer
At Appoly, we do not offer licensed or professional legal advice and as such, this article should be used for research purposes only. We do not take any responsibility for the operations of other individuals or businesses. If you are unsure of anything discussed in this article, please do your research and/or seek licensed legal advice.
You may also wish to review the regulations directly on the GDPR official website.