News & Articles

GDPR: The Essentials

May 7, 2018

Chances are, you’ve had your email inbox flooded over the past couple of weeks with companies asking whether you wish to opt-in and continue receiving their communications. These requests come in many forms, such as asking individuals to confirm whether they still wish to receive emails or/and the type of emails they wish to receive. This is all down to the imminent arrival of GDPR.

There’s been plenty of scaremongering and misunderstanding surrounding the arrival of this new regulation. If you’re feeling a little in the dark about exactly what GDPR is and how it affects you, then you’re in the right place. It’s time to separate fact from fiction.

What is GDPR?

The General Data Protection Regulation (GDPR) is a new data protection legislation that automatically comes into effect on 25 May 2018. Designed to protect the privacy of EU citizens within EU states, this law requires businesses to protect any personal data that they hold on individuals. It also gives every individual additional rights regarding how their personal information is collected, stored and handled.

Why Is It Being Introduced?

As an update to the law that was first passed in 1998, GDPR provides a modern version of data protection regulations by encompassing a wider definition of personal data itself. In general, and under the new regulations, anything that can personally identify an individual online or offline should be considered personal data. It constitutes anything under the Data Protection Act from information such as IP addresses, (Internet) cookies to personal health information.

Our information landscape has changed dramatically in the 20 years since the original law was introduced due to the immense power of the Internet, social media and email. This has provoked a shift in the way that we use data and these changes are designed to increase transparency and flexibility. The GDPR allows individuals to control and protect which companies hold their personal information as well as how and where it is shared.

Following the Rules

As a uniform set of rules under which every company across the EU should be compliant, GDPR gives organisations more clarity over what they should and should not be doing when it comes to personal data. Under the new rules, companies must communicate how and why they collect and process information in clear language. Any communications that are overlong with complex language may not pass the GDPR test.
GDPR also creates a more efficient EU-wide structure, saving time and money. It is a far more people-driven approach to data protection with a higher standard of care that reflects our contemporary habits and how we engage and share our personal information.

Pre-GDPR regulations allowed individuals to access the personal information held by companies and request information to be updated or deleted. Once GDPR comes into play, individuals can request that businesses amend any errors in the information that they hold or delete this information entirely.

They can also request a copy of the personal information that any company holds. Ideally, companies should provide direct access to information for every individual, but this is not always possible. As a baseline, this information must be available in a common format, allowing users to easily access their information and transfer their details to another provider.

The Case for Legitimate Interest

Requests made by individuals regarding their personal data are not unqualified and businesses may have the right to refuse, which is why it’s crucial for businesspeople to be aware of the case for legitimate interest. The Information Commissioner (ICO) states that “Legitimate interest is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle.”

In order for businesses to process data, one of the six lawful bases must apply. For example, businesses can apply the Legitimate Interest rule to support their marketing efforts such as brand growth. However, transparency is essential, and businesses must communicate clearly with every individual about their information, explaining exactly what they are sending them, why they are sending it, and how they are storing their data.

The ICO has the ultimate say over whether the legitimate interests of a business outweigh that of the individual, which is why it’s vital for businesses to understand exactly what they are doing before creating any communications. It’s also essential for business owners to create a privacy policy or fine tune an existing one to ensure it is up to scratch.

When it comes to lawful use of data, this comes in many forms. It might be if processing the data is in the public interest, if it will protect the individual from fraud, or if the individual has consented to their data being processed. We recommend speaking with a professional to understand the exact definition and real-life potential scenarios of lawful data processing activities.

It’s also important to build a consent model that complies with GDPR as well as maintain consistent records of all consent obtained. Under GDPR, individuals can remove their consent whenever they desire, so squeaky-clean records are a must for both transparent relationships and business protection.

Facing the Facts

Complying with the new rules is a serious matter and the potential fines reflect this. IT Pro outlines legislation stating that fines of up to €20 million or 4% of the company’s global annual turnover may be implemented for those companies that fail to adhere to GDPR or suffer a data breach.

While this is a worst-case scenario and the regulations take a tiered and proportionate approach to fines, this simply shows how crucial it is for companies to fully understand and adhere to the changing regulations. In the wake of the Facebook and Cambridge Analytics scandal, data exploitation is a very real threat and the severity of fines has been designed to reflect this.

In a nutshell, GDPR offers a set of basic principles that must be adhered to. If you’re a business owner, we recommend speaking to a professional who will help you to understand your duties and make sure that your business is fully compliant with any data that you hold.
An expert assessment will cover the finer GDPR details including an assessment of any third-party suppliers to ensure that your business as a whole is following the rules about personal data.  They can also offer guidance on putting solid procedures in place to protect from potential security breaches, as well as explain how to set up your systems to follow a Legitimate Interest route (where applicable). We advise visiting the ICO website in the first instance to learn more about GDPR and how it may affect your business.