GDPR – what does it mean?
Well, the acronym, or technically the initialism ‘GDPR’ has nothing to do with any former communist state (remember ‘GDR’?) nor indeed is it connected with the measure of a country’s economic output (that’s ‘GDP’). Perhaps combined it could be the economic output of the former East Germany?
Sadly not –though Mrs Merkel, as a former East German politician is clearly a significant influence in its genesis. It is in fact the General Data Protection Regulation, and is actually a prescribed EU Regulation which governs how we must control the use of data.
Being a Regulation, as opposed to a Directive, it does not require any form of primary or secondary legislation in the UK to take effect – it just happens. And the date it takes effect is 25th May 2018.
So all very well and good, but what is it, and what does it mean to you and me?
The GDPR essentially updates the existing Data Protection Act 1998, which is concerned with how organisations hold and uses personal data. GDPR takes the existing protections and ‘turbo charges’ them with some potentially eye watering consequences for companies that get it wrong.
In terms of grabbing headlines, an organisation can be fined up to 4% of annual worldwide revenue or €20 million, whichever is higher. To put that in context, Apple’s latest reported annual revenue amounted to $228 billion, so potentially subject to a fine of up to $9 billion if it loses your data!
GDPR impacts any business or organisation that processes personal data, so it’s not just about financial services. It covers a wide range of activity from what your favourite supermarket’s loyalty card account holds about your shopping habits to website viewing history.
There are, I’m afraid, some lengthy and detailed definitions – can you imagine the drudgery in converting all the text into 24 official European languages – and which one do they start with?! By way of example , you should know that ‘Personal Data’ is defined as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.’ In Swedish, I am reliably informed (by Google) that it is defined as ‘någon information som avser en identifierbar person som kan direkt eller indirekt identifieras särskilt med hänvisning till en identifierare’. Which one makes more sense?
Now back to the detail – under the GDPR, the data protection principles set out the main responsibilities for organisations. Article 5 of the GDPR requires that personal data shall be:
a) Processed lawfully, fairly and in a transparent manner in relation to individuals;
b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) Accurate and, where necessary, kept up to date;
e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The first point, a) above, is of interest. An organisation must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on the purpose and relationship with the individual.
Importantly, most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
The six lawful bases are:
1. Consent; the individual has given clear consent to process the personal data for a specific purpose (this one is important, so more on this below).
2. Contract; the processing is necessary for a contract with the individual (this one seems straight forward).
3. Legal obligation; the processing is necessary to comply with the law (again, straight forward).
4. Vital interests; the processing is necessary to protect someone’s life (these really are life and death scenarios such as being taken to A&E in circumstances where you cannot give consent).
5. Public task; the processing is necessary to perform a task in the public interest or for your official functions (this could cover local government or parliament).
6. Legitimate Interests; the processing is necessary for an individual’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individuals’ personal data which overrides the legitimate interests (yes, those baffling and circular definitions again, but one the ‘cold callers’ might try and use!).
Organisations are required, under GDPR, to tell people about the lawful basis used for processing data, normally in a privacy notice. If ‘Consent’ is used then this must be a positive ‘opt in’ – that is to say a pre-ticked box is not allowed.
GDPR also confers a number of rights to individuals (8 of them). These are:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.
In the interest of brevity I will refrain from going into the full detail, but you can read the Guidance issued by the Information Commissioner’s Office here.
The rights are generally self-explanatory, but as always there is devil in the detail. One positive note for individuals is that an organisation generally cannot charge for a data access request, whereas under current rules they can.
The right to erasure is also an interesting one. We, for example, could not erase a client’s data where we still have a legal or regulatory obligation to maintain personal information where it is related to the services we provide.
So what can you expect over coming months?
You have probably already seen an increase in communications from organisations who are informing you of what data they hold or process and what the lawful purpose is for processing that data (that’s the disclosure bit, likely to be in a ‘privacy notice’ – you can see ours here ).
You may have already seen communications about positively opting in to receive marketing or similar communications.
And you will definitely be receiving new terms and conditions and agreements from financial services providers which cover all the new requirements.
And who knows, perhaps fewer cold calls? That is definitely one which I am sure most people will be thanking the EU for, should it crystallise. At the very least you will be equipped with knowledge to challenge the caller about their lawful basis and your consent!