There is a legislative initiative readying itself to hit the EU next year that’s making its way around the internet that will leave a few people scratching their heads. It’s known as the GDPR and in this article I’ll be breaking down the points to let you know what it is, what it does and what steps Europe based companies are taking to comply with it.
So what is the GDPR?
GDPR stands for General Data Protection Regulation. Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive, but this will be superseded by the new legislation.
Back in 2012, the European Commission (the executive branch of the EU) put forth its proposal for a reform of the Union’s data protection rules. This basically called for a better way for companies operating in the EU to handle the personal data of their customers.
After further discussions, an agreement was reached between the European Parliament, Commission, and Council, on December 15, 2015.
It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
Why was the GDPR drafted?
This newly agreed upon reform, which was adopted by the European Council on April 8 2016 and by the European Parliament on April 14 2016 has two parts worth noting:
The General Data Protection Regulation will enable people to better control their personal data. At the same time modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market by cutting red tape and benefiting from reinforced consumer trust.
The Data Protection Directive for the police and criminal justice sector will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action. At the same time more harmonised laws will also facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe.
It’s also worth noting that another reason for GDPR is because the EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market (the EU estimates this will save businesses a collective €2.3 billion a year).
However, beyond the specific scope differences between the GDPR and the Data Protection Directive, there is another fundamental difference that separates the two:
- a regulation is legally binding and must be applied in full in every member state
- a directive is a legislative act which outlines a goal that needs to be reached by all EU states, but it’s up to each individual country how said act is implemented or the goal is reached
So who does the GDPR apply to?
‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.
Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU residents.
It’s the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
When can I process data under the GDPR?
Once the legislation comes into effect, controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
What counts as personal data under the GDPR?
The EU has substantially expanded the definition of personal data under the GDPR. To reflect the types of data organisations now collect about people, online identifiers such as IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, are also considered personally identifiable information.
Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.
Anything that counted as personal data under the Data Protection Act also qualifies as personal data under the GDPR.
How will this sit in relation to Brexit?
Time will tell. Yes, the UK is leaving the EU – and the UK government has triggered Article 50 which sets in motion the act of leaving the EU within a two-year timeframe (though it could take longer).
This means the GDPR will take effect before the legal consequences of the Brexit vote, meaning the UK must still comply for the time being.
This article will be updated as and when we learn more. Stay tuned!