by GDPR Associates | 22nd May 2019 11:17 am
The General Data Protection Regulation (GDPR) applies automatically to all 28 member states of the European Union, unlike a directive which demands member states to draft domestic laws to enforce its rules.
It came into effect on 25 May and it sets out to bolster the rights citizens of the EU have over their data which is held by companies.
Before its implementation, misuse of a person’s data was punishable by a slap on the wrist. Now, mammoth fines are issued against companies which fail to comply by the regulation’s standards. Companies that are found guilty of misusing data can be fined up to €20 million or 4% of the company’s annual turnover, in worst case scenarios.
The regulation aims to give people greater power over their data and make companies more transparent in how they deal with people’s data
Until GDPR came into force on 25 May 2018, there was just the outdated Data Protection Directive 1995, known as the Data Protection Act 1998 in the UK. The world has changed dramatically since 1995 and new laws were needed to address the modern world of large-scale internet use and social media. Over the last 24-years, businesses have become more dependent on the web, as well as the rise of web-based companies and social media sites, and as such misuse of the internet is far greater than in 1995.
An example of why laws are needed for data protection can be seen when using one of the many digital platforms, such as Google or Facebook, that offer ‘free’ services, but take some kind of payment in the form of data collection. You’re not paying directly as such, but when you use Google’s search engine or search through Facebook’s news feed, your actions are recorded and packaged as data for third-party companies. This is how you’re retargeted by adverts or sent marketing emails.
This type of data collection is often masked by unclear tick boxes or opt-in buttons. You might not even remember agreeing to them, but its the reason you receive emails that aren’t completely in line with your interests that just spam up your inbox.
A great example of ways companies are still misusing data was Facebook’s Cambridge Analytica scandal, when a third party app collected data unknowingly from Facebook users. Then these people were targeted with campaigns that ended up unfairly affecting the outcomes of the 2016 US election.
A separate aim of GDPR is to make it easier and cheaper for companies to comply with data protection rules. The EU’s 1995 directive allowed member states to interpret the rules as they saw fit when they turned it into local legislation. The nature of GDPR as a regulation, and not a directive, means it applies directly without needing to be turned into law, creating fewer variations in interpretation between member states. The EU believes this will collectively save companies €2.3 billion a year.
The GDPR has applied to organisations across the world since 25 May 2018. Because GDPR is a regulation, not a directive, the UK did not need to draw up new legislation – instead, it applied automatically.
With the UK now set to leave the European Union, the UK has formalised GDPR into new legislation under the Data Protection Act 2018. GDPR will now sit alongside DPA, however, in most cases, the DPA will be referred to as a matter of law.
If you don’t think you need to respect the GDPR legislation, you’re unfortunately probably going to find yourself in hot water. Whether your business operates with clients in the EU or outside it, it’s vital you respect the rules and make sure you’re compliant with regulations.
Pretty much every business must comply with the EU’s data laws, even if they’re based in the US. This is because most companies have at least some data belonging to EU citizens stored on their servers and it is those whom the data belongs to that is protected, not the business.
However, if you truly have no dealings with the EU, you can avoid having to comply using a traffic filter. By blocking any EU traffic to your website, you can make sure that only non-EU traffic is allowed to your website and only those outside Europe can enter their details onto your site.
It obviously a technique only relevant for businesses that do not need contact with EU citizens, such as US-based news sources. The LA Times is one company that has implemented this GDPR avoidance scheme.
There’s a distinct difference between a data controller and a data processor, as stipulated by the EU.
A data controller is responsible for setting out how and why data is collected, but doesn’t necessarily collect the data itself.
That means a controller could be any organisation, from a high street retailer to a global manufacturing giant to a charity, while a processor could be an IT services firm they employ.
It’s the controller’s job to make sure the processor complies with data protection law, while processors must maintain records of their processing activities to prove they abide by rules. Unlike older data protection laws, both the controller and the processor are jointly liable for financial penalties in the event of a data breach or if the processor is found to have handled data illegally.
GDPR states that controllers must make sure it’s the case that personal data is processed lawfully, transparently, and for a specific purpose.
That means people must understand why their data is being processed, and how it is being processed, while that processing must abide by GDPR rules.
‘Lawfully’ has a range of alternative meanings, not all of which need apply. Firstly, it could be lawful if the subject has consented to their data being processed. Alternatively, lawful can mean to comply with a contract or legal obligation; to protect an interest that is “essential for the life of” the subject; if processing the data is in the public interest; or if doing so is in the controller’s legitimate interest – such as preventing fraud.
At least one of these justifications must apply in order to process data.
Consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some models that allow for pre-ticked boxes or opt-outs.
Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want. If your current model for obtaining consent doesn’t meet these new rules, you’ll have to bring it up to scratch or stop collecting data under that model when the GDPR applies in 2018.
The EU has substantially expanded the definition of personal data under the GDPR. To reflect the types of data organisations now collect about people, online identifiers such as IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, are also considered personally identifiable information.
Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.
Anything that counted as personal data under the Data Protection Act also qualifies as personal data under the GDPR.
Aiming to give users and customers more rights and power over their own information, GDPR stipulates that people can lodge requests to access their data from organisations.
Anybody can submit a subject access request (SAR) with data controllers, and if deemed reasonably (certain exemptions apply) the organisation will have a month to fulfil the request in full. A SAR provision already in UK law prior to GDPR, but the new regulation reduced the legal time limit from 40 to 30 days.
GDPR dictates that controllers and processors both must establish clearly how information is collected, what purposes data is used it for, and the ways in which this data is processed. Clear and plain language must also be used consistently across any messaging, restricting the liberty many firms took in sending reams of dense and complex information to consumers in order to obfuscate objectionable data practices.
By submitting a SAR, users exercise their right to know what data a company holds on them, and how their data is processed, among a number of other facts.
Users and customers can also ask for data, if it is wrong or incomplete, to be corrected and brought up-to-date any time.
Refusing to comply with SARs constitutes a potential breach, with a number of companies, including Twitter, currently facing a GDPR investigation for failing to provide users with the appropriate information requested.
GDPR makes it clear that people can have their data deleted at any time if it’s not relevant anymore – i.e. the company storing it no longer needs it for the purpose they collected it for. If the data was collected under the consent model, a citizen can withdraw this consent whenever they like. They might do so because they object to how an organisation is processing their information, or simply don’t want it collected anymore.
The controller is responsible for telling other organisations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.
Then you have to let them – and swiftly: the legislation means citizens can expect you to honour such a request within four weeks. Controllers must ensure people’s data is in an open, common format like CSV, meaning that when it moves to another provider it can still be read.
Two tiers of fines exist under GDPR, but both are much bigger than any the UK has seen before. Under the Data Protection Act 1998, the UK regulator, the Information Commissioner’s Office (ICO), was able to fine companies a maximum of £500,000.
GDPR massively increases the ceiling of fines. First of all, your organisation faces a penalty of up to 2% of their annual turnover, or €10 million, for failing to report a data breach to the ICO within 72 hours of becoming aware of it. That initial contact should outline the nature of the data that’s affected, roughly how many people are impacted, what the consequences could mean for them, and what measures you’ve already actioned or plan to action in response. It’s worth noting that the window is a fixed 72 hours after the discovery of an incident, and not 72 working hours, as some companies have been led to believe.
Then there is the fine for a breach of personal data itself. Data breaches under GDPR could be punished by a maximum fine of 4% of your organisation’s annual turnover, or €20 million, whichever is higher.
You can read our article on GDPR fines for more information on this, but the regulation does make clear that fines must be “proportional”, therefore you’re unlikely to face the most severe penalty if it’s a minor breach, or if you can demonstrate you are largely compliant with the legislation.
The ICO itself has said it views fines as a “last resort”.
At the time of writing, the ICO has yet to collect a fine for breaches of the GDPR. Equifax narrowly avoided a multi-million pound fine under the new regulation, with dates of the breach meaning the ICO could only fine the company £500,000 for failing to protect millions of UK citizens’ personal data during a cyber attack.
Facebook has also been hit by a £500,000 fine, but the ICO has yet to formally request this payment, as is the case with Equifax.
The ICO has a number of ongoing investigations, however. This includes the breach on Ticketmaster’s systems in late June, which could be a litmus test for how the regulatory body punishes organisations under GDPR.
Yes, the UK is leaving the EU – but because the UK government only triggered Article 50 in March 2017, which sets in motion the act of leaving the EU within a two-year timeframe (though it could take longer), this means GDPR will take effect before the legal consequences of the Brexit vote, and so the UK must still comply.
A new Data Protection Act, put forward by the UK government in August 2017 and which received Royal Assent on 23 May 2018, essentially replicates the requirements of GDPR into UK legislation, meaning those compliant with GDPR should be compliant with the new UK data protection law.
Much like the stipulations of GDPR, the bill sets out sanctions for non-compliant organisations, permitting the Information Commissioner’s Office (ICO) to issue fines of up to £17 million, or 4% of global turnover, whichever is highest (compared to €20 million or 4% of turnover under GDPR).
It also provides provisions for the right to be forgotten, adding the ability for data subjects to demand social media companies erase any posts they made during childhood, a good opportunity for embarrassed adults to delete things they said in their teenage years.
The bill also proposes to modernise current data protection regulations by expanding the definition of personal data to include IP addresses, internet cookies, and DNA.
By aligning with GDPR, the UK hopes to build an enhanced data protection mechanism that goes beyond the adequacy model the EU imposes on ‘third’ countries, allowing personal data to flow freely between the UK and EU.
Former digital minister Matt Hancock said at the time: “Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU. We are committed to ensuring that uninterrupted data flows continue between the UK and the EU and other countries around the world.”
But that doesn’t mean the UK will continue to get a say in the development of data protection law in the EU after Brexit.
In fact, the EU’s chief Brexit negotiator poured cold water on that notion by ruling out any UK involvement in the board set up to apply and regulate GDPR after the UK leaves the bloc in 2019.
The ICO had hoped to continue to participate in the European Data Protection Board (EDPB) post-Brexit, with information commissioner Elizabeth Denham saying a seat at the table of EU data protection authorities would be “really advantageous to business”.
But Michel Barnier responded in May that Brexit “is not, and never will be, in the interest of EU business”, and the UK must accept the consequences of its decision to leave, including that it cannot participate in the EDPB.
It means the UK is likely to be relegated to third-country status on data protection, where the EU must decide that the UK’s data protection law is ‘adequate’ in relation to GDPR to ensure data can flow between the two parties more easily.
Denham spelt out what that means for the UK to the Parliamentary Committee for Exiting the EU, saying: “We will be a less influential regulator.” That means the UK won’t have a say on interpreting GDPR, or how it applies to AI, and how big tech companies are regulated.
However, what’s unclear is whether other new legislation will be deemed compatible with GDPR once the UK leaves the EU. For example, under the UK’s Investigatory Powers Act, ISPs are compelled to collect personal web histories and hold them for up to 12 months. The government is currently having to rewrite some of these laws after identical powers in old DRIPA legislation were found to be illegal.
But Hancock wrote in October 2017 that “UK national security legislation should not present a significant obstacle to data protection negotiations.”
Any public body carrying out data processing needs to employ a data protection officer, as do companies whose core activities involve data processing that requires they regularly monitor individuals “on a large scale”, according to the GDPR legislation, though public bodies are at an advantage, in that several can share the same data protection officer. Organisations should give the contact details of this person to their data protection authority.
The data protection officer’s job is to inform and advise the organisation about meeting GDPR requirements, and monitoring compliance. They’ll also act as the data protection authority’s primary point of contact, and will be expected to cooperate with the authority. Read a bit more about the role here.
This article originally posted here: https://www.itpro.co.uk/it-legislation/27814/what-is-gdpr-everything-you-need-to-know
Source URL: https://www.gdpr.associates/what-is-gdpr-everything-you-need-to-know-from-requirements-to-fines/
Copyright ©2020 GDPR Associates unless otherwise noted.