Whenever GDPR comes up, I like to gauge the knowledge in the room by asking things like:
- “Who has heard of GDPR?”
- “Can anybody tell me what the letters stand for?”
- “What do they think it will mean for their business?”
I was quite surprised that not everybody had even heard of GDPR. We recently published a series of four blogs on the twelve things you should be thinking about now to get ready for GDPR. If you are one of those who have not heard of GDPR however, keep calm and read on.
The GDPR or General Data Protection Regulation replaces the Data Protection Directive enacted in 1995. According to IBM, 90% of all of the data ever created in the history of the world has been created in the past two years. So, it is easy to see how a regulatory framework developed in the early 90s could be a little out of date.
These new regulations will come into force on 25th May 2018 and will apply to all companies processing the personal data of people living in Europe. The law applies to all businesses regardless of where they are based, which inevitably leads to the question: “what about Brexit?” First, the government has stated and reaffirmed numerous times that GDPR will become the data protection regulation for the UK after Brexit. Additionally, if you’ve done your maths, you have already figured out that the UK will still be in the EU in May 2018.
Who needs to think about GDPR
As I said above, these new regulations apply to any company processing data of people who live in the EU. In other words, like the Data Protection Directive, that’s all data controllers who hold and process data on people living in Europe or to put another way – you. Unlike the previous regime however, GDPR lifts the data processor’s veil. Under the old regime, data processers were protected as long as they were following the instructions of the data controllers. GDPR also includes data processors; in other words, us.
Similar to the Data Protection Directive, the GDPR only applies to personal data but it does extend the definition of personal data to include things like online identifiers, location data and advertising IDs. GDPR also defines ‘special categories of personal data’ which is particularly sensitive such as genetic data which is not something most email marketers will have on their database but it also includes biometric data which could become more prevalent in marketing databases as we find ever better ways to use VR for marketing and entertainment.
Data processing principles
The Data Protection Directive set out a set of principles for processing personal data which are largely unchanged in GDPR. The new regulations do add some detail to these principles as well as add a new principle around accountability. This new accountability principle requires you to not only comply with the data processing principles laid out in the GDPR, but also show ‘how’ you comply with the principles.
The principle laid out in Article 5 of the GDPR that personal data shall be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes and not processed in a way that is incompatible with this
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date
- Kept in a form which permits the identification of the data subject for no longer than necessary
- Processed in a manner that ensures appropriate security for the data
- The controller shall be responsible for and able to demonstrate compliance with the principles
Rights of the individual
The GDPR is an evolution rather than a revolution in data privacy regulation and this applies to how it defines the rights of individuals. Most of the rights stay the same; some strengthened and some new ones as well. Individual rights are:
- Be informed about what data is collected, how it will be used and how it will be kept safe
- Have access to the data stored on them
- Correct any inaccuracies in the data
- Erase the data when they don’t want to maintain a relationship with that brand
- Restrict the processing of their data
- Obtain and reuse their data across different services
- Object to the processing of their data
- Automated decision making and profiling
There you have it – a whistle stop tour of the GDPR. If you are curious as to what you should think about next, I encourage you the read our four-part blog series on the twelve things you should think about now: