On 25th May 2018, the new General Data Protection Regulation (GDPR) enacted by the EU will come into effect. This replaces the existing Data Protection Directive, enacted in 1995. The change is much more than a simple update/upgrade of existing policy At its core, the GDPR is a move towards enshrining control of your personal data as a fundamental human right.
The GDPR gives EU citizens control of their digital data by empowering them with the right to know when personal data is being collected, what data is being collected, access to that data, and to purge it on request. In short, the GDPR is a data privacy regulation that modernises and normalises data privacy laws across Europe. It applies to any organisation collecting personal data on EU citizens. If you run a web site then the regulation almost certainly applies to you.
The principles of GDPR
The EU General Data Protection Regulation (GDPR) outlines six data protection principles that organisations need to follow when collecting, processing and storing individuals’ personal data. The six principles can be summarised as follows:
Lawfulness, fairness and transparency
Data must be processed lawfully, fairly and in a transparent manner in relation to individuals.
Data should be collected for a specific purpose.
Data should be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Data should be accurate and, when necessary, kept up to date.
Data should be kept in its most clear and concise form and should be kept no longer than is necessary for its purpose.
Integrity and confidentiality
Data needs to be processed in a manner that ensures appropriate security of the personal data.
How it works
For the purpose of understanding how GDPR works, 4 key definitions have been established. These are defined as follows:
- Personal Data
- Data Subject
- Data Controller
- Data Processor
The GDPR defines “personal data” as the following:
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The Data Subject is the individual whom particular personal data is about. If your web site records the personal data of any EU citizen, that user is considered a data subject. Data subjects could include employees, customers or even potential customers if your business collects prospective leads.
The Data Controller is the person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. In practical terms, once a user has given consent for you to collect their data, you are the data controller.
In some instances, the data controller may use the services of a 3rd party to process personal data. This person (or organisation) is known as a Data Processor. A Data Processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
But my web site doesn’t process any data…
Yes it does. Every time you receive an email enquiry through your web site you are collecting personal data. Collecting = Processing.
What about consent?
In order to process any personal data, you need consent. A user can give consent only by clear, affirmative action. This can be done with an opt-in box – but only if that box is not be pre-ticked.
“Silence, pre-ticked boxes or inactivity does not constitute consent.”
You cannot give consent by not doing something
Data Subject Rights
As explained by the ICO, data subjects have 8 principle rights concerning their personal data:
- The right to be informed. Data subjects must be told what data they are giving you. The information must be clear, unambiguous and easy to access – not hidden away somewhere in small print.
- The right of access. Data subjects must be able to request and obtain confirmation that personal data is or is not being processed, and if so exactly what data is being processed, how, where, and for what purpose.
- The right to rectification. Data subjects are entitled to require the data controller to rectify any errors in their personal data without undue delay.
- The right to erasure. Data subjects are entitled to require a data controller to delete their personal data if the continued processing of that data is not justified.
- The right to restrict processing. Apart from storage, no processing of personal data can occur without the consent of the data subject unless it is in connection with legal claims.
- The right to data portability. The data subjects are entitled to request all data that a data controller holds on them and to reuse it for their own purposes.
- The right to object. The data subject has the right to raise objections and then requires the data controller to demonstrate that it either has compelling grounds for continuing the processing, or that the processing is necessary in connection with its legal rights.
- The right of automation. Data subjects have the right not to be subject to decisions based solely on automated processing which significantly affect them.
But what do I do with all the personal data I have already collected?
Good question. So long as you collected that data inline with GDPR, then you do not need to take any further action. If, however, you came by that data either indirectly or without gaining specific permission from the user, then their consent is no-longer valid. Even if you believe you did obtain consent, could you prove it if asked to do so?
So I need to take GDPR seriously?
Indeed you do. Your web site has until 25th May 2018 to comply with the regulations set by the GDPR. The penalty for non compliance can be 4% of annual global turnover, up to a maximum of €20 million. Ignorance of the law is not an excuse.
Put simply, to make your web site GDPR compliant, you should (1) display a privacy notice. Next (2) avoid collecting user data where it isn’t necessary. Alternatively (3) ensure you inform your users how and why you intend to use their data. Next, (4) put mechanisms in place to make sure that users can control their data. Finally, and most importantly of all, (5) whenever you receive consent, make a record of doing so. You may need to prove it one day.
Whilst no-one seriously expects small web site owners to be served with huge fines from day 1 of the new regulation, it is in your interest to get up to speed. Once all the pieces of GDPR start to fall into place, the powers that be will start to flex their muscles. Data breeches, in particular, could lead to fines if they are found to have caused harm.
Remember, ignorance is not a defence in court.