What Is GDPR?
Disclaimer: the information in this blog should not be considered legal advice. Please seek advice from an appropriate legal professional.
- What Does GDPR Stand For?
- What Is GDPR For?
- What Are the 7 Principles of GDPR?
- What Was before GDPR?
- When Did GDPR Come into Effect?
- How Are Customers Affected by GDPR?
- What Types of Data Does GDPR Protect?
- What Is ‘Personal Data’ within GDPR?
- Which Types of Company Are Affected by GDPR?
- Do I Need a Data Protection Officer?
- How Do I Prepare for GDPR?
- How Do I Get Consent under GDPR?
- Who Can Access the Data We Store?
- What Is ‘the Right to Be Forgotten’?
- Are There Any Fines for Non-Compliance or Breaches of GDPR?
- Have Any Companies Been Fined for GDPR Breaches so Far?
- How to Respond to a Personal Data Breach
- Will Brexit Affect GDPR?
- GDPR Checklist for Small Businesses and Startups
What Does GDPR Stand For?
GDPR stands for General Data Protection Regulation. UK businesses and organisations must comply with GDPR.
What Is GDPR For?
GDPR is supposed to prevent businesses and organisations from misusing personal data.
What Are the 7 Principles of GDPR?
According to the Information Controller’s Office (ICO), GDPR is made up of seven core principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
What Was before GDPR?
In the UK, GDPR replaced the 1995 Data Protection Directive.
When Did GDPR Come into Effect?
GDPR came into effect on May 25th, 2018.
How Are Customers Affected by GDPR?
Individuals have certain rights according to GDPR. These include the following:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
What Types of Data Does GDPR Protect?
GDPR applies only to personal data. If data is anonymous, it is not covered by GDPR.
What Is ‘Personal Data’ within GDPR?
According to the ICO, personal data is information that relates to an identified or identifiable individual. Different pieces of information can be considered personal data according to the context. For example, names, telephone numbers, IP addresses and cookies may all be examples of personal data.
Which Types of Company Are Affected by GDPR?
Anyone who controls or processes data might be affected by GDPR. The ICO distinguishes between data controllers, joint controllers and processors. Any company that collects personal data, including data about employees, might be considered a data controller.
Any company given personal data by a customer or a third party might be considered a data processor. There’s a checklist companies can use to see if they are considered data controllers or processors.
Do I Need a Data Protection Officer?
Under GDPR, you must appoint a Data Protection Officer in three situations:
- If you are a public authority or body (except for courts acting in their judicial capacity).
- If your core activities require large-scale, regular and systematic monitoring of individuals.
- If your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors.
How Do I Prepare for GDPR?
GDPR has been in force since May 2018, so you should take steps to comply if you haven’t done so already. Small businesses owners and small traders can complete the GDPR self-assessment to see what steps they need to take to prepare for GDPR.
How Do I Get Consent under GDPR?
According to GDPR, you must have a lawful basis for processing data. Consent is one lawful basis for processing data. To get consent under GDPR, you should follow these best practices:
- Consent must be granular; you cannot ask for vague consent or blanket consent.
- Consent requires a very clear and explicit statement of confirmation.
- Consent must be separate from all other terms and conditions.
- Be clear and concise.
- Consent should require a positive opt-in. Pre-filled boxes and other methods of consent by default are not acceptable.
- Name any third-party controllers that rely on the consent.
- Make it easy for people to withdraw consent and clearly explain how.
- Keep evidence of consent, including who, when, how and what you told.
- Keep consent under review.
- Avoid making consent a precondition of a service.
- Public authorities and employers will need to take extra care to show that consent is freely given.
Who Can Access the Data We Store?
If you are a company that processes personal data, then according to Cyber Essentials, staff accounts should have just enough access to software, settings, online services and device connectivity functions for them to perform their role. Extra permissions should only be given to those who need them. Cyber Essentials is a security framework endorsed by the ICO.
What Is ‘the Right to Be Forgotten’?
The right to be forgotten appeared in a draft European Data Protection Regulation from the European Commission. According to the right to be forgotten, which works alongside the right to erasure, individuals may claim that certain data should be “deleted so that a third person can no longer trace them.” It’s also been described as “the right to silence on past events in life that are no longer occurring.”
Are There Any Fines for Non-Compliance or Breaches of GDPR?
The Information Commissioner can issue fines for non-compliance. The maximum fine amount is 20 million Euros or 4% of the total annual worldwide turnover, whichever is higher. All fines must be effective and proportionate.
Have Any Companies Been Fined for GDPR Breaches so Far?
GoSkippy Insurance was fined £60,000 for sending out more than 1 million direct marketing emails without consent. GoSkippy is associated with the Leave.EU campaign. Leave.EU was separately fined £15,000 and £45,000.
How to Respond to a Personal Data Breach
Under GDPR, certain types of personal data breaches must be disclosed to the ICO within 72 hours. If the personal data breach has a high chance of adversely affecting an individual’s rights or freedoms, those individuals must be informed of the breach without undue delay. Data breaches need to be detected, investigated and reported.
Will Brexit Affect GDPR?
Brexit likely won’t have any impact on GDPR. As an EU regulation, all member states, including the UK, must comply. Even if the UK leaves the UK, the Data Protection Act 2018 will continue to apply. The government intends to bring GDPR directly into UK law on exit. The ICO advises everyone to continue complying with GDPR.
GDPR also affects anyone selling goods or services to EU citizens. Any UK business that continues to sell goods and services to EU citizens after Brexit will still be bound by GDPR.
GDPR Checklist for Small Businesses and Startups
The ICO has made several checklists available to small businesses. If you are a data controller (remember, any company that collects data might be considered a data controller) you can follow the data controller checklist. There’s also a data security checklist and a direct marketing checklist.