GDPR – General Data Protection Regulation

by

On 25th May 2018, the new General Data Protection Regulation (GDPR) enacted by the EU will come into effect. This replaces the existing Data Protection Directive, enacted in 1995. The change is much more than a simple update/upgrade of existing policy At its core, the GDPR is a move towards enshrining control of your personal data as a fundamental human right.

The GDPR gives EU citizens control of their digital data by empowering them with the right to know when personal data is being collected, what data is being collected, access to that data, and to purge it on request. In short, the GDPR is a data privacy regulation that modernises and normalises data privacy laws across Europe. It applies to any organisation collecting personal data on EU citizens. If you run a web site then the regulation almost certainly applies to you.

Q1: What is personal data?

The GDPR defines “personal data” as the following:

Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Q2: But my web site doesn’t collect any data…

Yes it does. Ever wondered how many hits your web site has? Curious to know how many people have viewed a particular product in your online shop? Services like Google Analytics can provide such data by recording visitor traffic to your site. They use cookies to save each user’s IP Address which can identify who they are and where they came from. Under GDPR, an IP Address is now considered personal data. After May 25th, your web site will only be allowed to record such information if the user has given specific consent.

Q3: But what about one of these…

We’ve all seen one of these before. Whilst it might inform visitors it doesn’t actually give them any choice! It uses a method know as assumed consent. Once GDPR comes into force there will no longer be any such thing. Visitors to your site must be given an informed choice. The user must then confirm that their data can be collected through a process of clear, affirmative action. Silence, pre-ticked boxes or inactivity does not constitute consent under any circumstances.

“Silence, pre-ticked boxes or inactivity does not constitute consent.”

There must also be a privacy policy showing what data is going to be stored, how it is going to be used, and provide the user a right to withdraw their consent whenever they choose. The rights and obligations of all parties are set out under GDPR using the terms data subject and the data controller.

Q4: What are Data Subjects and Data Controllers?

The data subject is the individual whom particular personal data is about. If your web site records the personal data of any EU citizen, that user is considered a data subject. Data subjects could include employees, customers or even potential customers if your business collects prospective leads.

The Data Controller is the person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. In practical terms, once a user has given consent for you to collect their data, you are the data controller.  As explained by the ICO, data subjects have 8 principle rights concerning their personal data:

  1. The right to be informed. Data subjects must be told what data they are giving you. The information must be clear, unambiguous and easy to access – not hidden away somewhere in small print.
  2. The right of access. Data subjects must be able to request and obtain confirmation that personal data is or is not being processed, and if so exactly what data is being processed, how, where, and for what purpose.
  3. The right to rectification. Data subjects are entitled to require the data controller to rectify any errors in their personal data without undue delay.
  4. The right to erasure. Data subjects are entitled to require a data controller to delete their personal data if the continued processing of that data is not justified.
  5. The right to restrict processing. Apart from storage, no processing of personal data can occur without the consent of the data subject unless it is in connection with legal claims.
  6. The right to data portability. The data subjects are entitled to request all data that a data controller holds on them and to reuse it for their own purposes.
  7. The right to object. The data subject has the right to raise objections and then requires the data controller to demonstrate that it either has compelling grounds for continuing the processing, or that the processing is necessary in connection with its legal rights.
  8. The right of automation. Data subjects have the right not to be subject to decisions based solely on automated processing which significantly affect them.

Q5: But what do I do with all the personal data I have already collected?

Good question. So long as you collected that data inline with GDPR, then you do not need to take any further action. If, however, you came by that data either indirectly or without gaining specific permission from the user, then their consent is no-longer valid. Even if you believe you did obtain consent, could you prove it if asked to do so? 

Q6: So I need to take GDPR seriously?

Indeed you do. Your web site has until 25th May 2018 to comply with the regulations set by the GDPR. The penalty for non compliance can be 4% of annual global turnover, up to a maximum of €20 million. Ignorance of the law is not an excuse.

Put simply, to make your web site GDPR compliant, you should (1) avoid collecting user data where it isn’t necessary. Alternatively (2) look into all the different ways to collecting such data. Next, (3) put mechanisms in place to make sure that users can control their data. Finally, and most importantly of all, (4) whenever you receive consent, make a record of doing so. You may need to prove it one day.

Don’t delay. If you’re not ready for 25th May 2018 you could end up in trouble.