What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (2016/679 EU) (GDPR) is the new governing legislation that modernises and reforms the laws that address the collecting and processing of personal data in the EU. It replaces the European Data Protection Directive (95/46/EC), which is implemented in the UK by the Data Protection Act 1998, and was implemented inconsistently across Europe and did not have legislative authority.
The GDPR applies to all 28 EU member states and has the full force of the law. The Government has confirmed that the GDPR will be implemented in the UK as it will still be a member of the EU at that time.
The GDPR requires that personal data be processed according to many of the same principles as under the current Data Protection Act 1998. However, employers should note, in particular, that the GDPR has new requirements:
- that restrict the use of consent as a justification for processing data;
- on demonstrating compliance through the documentation of data processing activities;
- on adopting organisational measures for data protection such as policies and practices;
- on providing more information to employees and job applicants on the purpose and legal grounds for collecting their data, and their rights in relation to their personal data.
Notable changes include:
Stricter consent rules.
The GDPR requires that individuals give unambiguous, informed consent before their data may be processed. Consent cannot be assumed from inaction.
Enhanced rights for data subjects.
Individuals have more rights under the GDPR including rights to: have their personal data erased, have inaccurate data corrected, be removed from digital marketing, and request personal data be ported to another service provider
Data breach notification.
Organisations must notify those whose data has been breached, within 72 hours of the breach.
Increased accountability measures.
There are a number of new governance requirements for subject organizations, including conducting privacy impact assessments and appointing a data protection officer.
Moving towards data minimisation.
Most businesses and their marketing teams follow the practice of data maximisation, i.e. collecting as much data about consumers as possible, sometimes before they know exactly what, how, or when that data will be used. In addition they will extract as much value out of this data as they can, including at times, reusing it for various purposes or even selling it to another party. One of the biggest tenets of the GDPR is the principle of data minimisation, that is, that firms collect only the smallest amount of personal data for the shortest period of time possible, and delete it as quickly as possible after its specific purpose is completed.
- It applies to EU citizens’ personal data, regardless of where it is collected, stored, or processed – whether inside or outside of the EU;
- If your company collects and stores the personal data of EU citizens, the GDPR is relevant to your organization, even if you don’t have a formal presence in the EU zone.
- The GDPR does not apply to the processing of personal data as it pertains to matters of national security or "purely personal or household activity."
Employers should also be aware that the GDPR creates a new enforcement system, with significantly higher maximum penalties than under the Data Protection Act 1998. In particular, breach of the GDPR in some circumstances can lead to a maximum fine of €20 million or 4% of an undertaking's worldwide annual turnover, whichever is higher.
For full details visit the Information Commissioner’s Office.