In Plain English: Everything You Need to Know About the GDPR

GDPR spelling with wooden blocks

In Plain English: Everything You Need to Know About the GDPR

We’ve seen how technology is disrupting industries both old and new: Uber and Lyft are disrupting transport, Netflix is disrupting how movies and TV shows are produced and consumed, and AI is threatening to disrupt every single industry in ways we never before thought possible. But technology also disrupts the laws and regulations implemented by countries, with the GDPR designed to replace a modern directive that itself was no longer sufficient: Directive 95/46/EC (a data protection directive).

The General Data Protection Regulation is, obviously, centered around data protection, but it doesn’t regulate all data protection. Instead, it is focused on the personal data of individuals, specifically individuals residing in any EU member state. It updates existing – and introduces new – regulations relating to the collection and processing of the personal data of any individual residing in any EU member state. And it doesn’t only apply to businesses and organizations with a physical presence in any EU member state. Businesses and organizations throughout the world will need to be compliant with the GDPR if they collect and process the personal data of any individuals residing in the EU.

The purpose of the regulations is not to make it more difficult for businesses to sell, market, or perform any of their normal business functions. Instead, it is designed to give individuals greater control over who collects and processes their personal data, what it is used for, and how it is kept safe.

It does this by first differentiating between personal data and sensitive personal data, with personal data being any information which makes it possible to identify an individual – either directly, or indirectly. It includes data such as names, identification numbers, location data, and online identifiers. Sensitive personal data also makes it possible to identify an individual but through an expanded scope of specific factors, including elements of their physical appearance, physiology, genetics, mental health, economic, cultural, or social identity. The collection and processing of sensitive personal data is not allowed, except under very specific circumstances, with additional requirements in terms of data safety.

Next, the GDPR refines the principle of consent, requiring:

  • The explicit consent of individuals.
  • The elimination of blanket consent, consent by default, and consent as a condition of sale, service, or general terms and conditions.
  • The ability for individuals to easily withdraw consent.

There are provisions within the GDPR for times when consent is not necessary, but these all relate to very specific lawful bases for collecting and processing personal data.

The GDPR then clarifies the rights of individuals in terms of their personal data, broken down as follows:

  • The right to be informed, typically covered by your privacy notice. Detailed information regarding who is collecting and processing the personal data, along with how it will be used, must be freely available and written in clear, plain language.
  • The right of access. Individuals can request confirmation from you that their data is being processed. They can also request a copy of all their information that you hold, along with any supplementary information. It should be provided free of charge, and within one month of the request being made.
  • The right to rectification. Individuals can request you to correct any incomplete or inaccurate information that you hold, with you then being responsible for passing the corrected information onto any third-parties you previously shared the data with.
  • The right to erase. This is not an absolute right to be forgotten, but rather a provision for individuals to request the deletion of their data by you when there is no longer a legitimate reason for you to continue processing it, or they withdraw their consent.
  • The right to restrict processing. Under certain circumstances, individuals can request that the further processing of their data be restricted. This is different to the right to erase in that you are still permitted to store some personal data, just not process it further.
  • The right to data portability allows individuals to obtain their data from you, and reuse it for their own purposes across other services. However, this only applies in circumstances where the individual provided a controller with their personal data, typically during the performance of a contract application.
  • The right to object. Unless you have compelling legitimate reasons to process an individual’s data, they retain the right to object to processing for a number of reasons.
  • Rights in relation to automated decision making and profiling. The GDPR requires that safeguards be put in place for any automated processing and decision making, to minimise the risk of any damaging or adverse decisions being made without the possibility of human intervention, or the ability to seek an explanation.

The GDPR goes into great detail in relation to accountability and governance within businesses and organizations. This addresses matters such as:

  • The implementation of measures that ensure and demonstrate compliance. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
  • Maintaining relevant documentation of all processing activities.
  • Identifying whether your organization is a data processor, a data controller, or both. You need to understand the purpose and requirements of these distinct roles in terms of the GDPR, and where appropriate, you may need to appoint a data protection officer.
  • The implementation of measures that satisfy the principles of data protection by design, and data protection by default. This could include:
    • data minimisation
    • pseudonymisation or anonymisation of data
    • the ability for individuals to monitor the processing of their data
    • ongoing improvement of security features

Finally, the GDPR introduces new requirements for how personal data is processed to ensure security, along with requirements for how businesses and organizations need to respond to data breaches.

It is important to remember that the GDPR does not affect all businesses and organizations, only those who collect and/or process personal data, either of their clients or on behalf of another organization. If you don’t collect or process any personal data of individuals, you have nothing to worry about. And if you do, the primary matter you should be concerned about is ensuring that you are fully compliant with the requirements of the GDPR. The GDPR should in no way prevent your business from continuing to operate, though it may force you to change some of your processes, making it more difficult to perform some tasks, but never making it impossible to operate.

The heavy fines possible under the GDPR are not meant to harm businesses, but rather to serve as a deterrent against relevant businesses and organizations from ignoring the regulations, and putting the personal data of individuals at risk.

But as with any new regulation, we will have to wait until it is enforced, and new case law established, to ascertain any true material impact on organizations, and individuals, and whether or not this will change over time.

B2B

The GDPR specifically applies to individuals, so in the context of B2B relationships – existing and new, the impact of GDPR will depend on the contact information you use to communicate with your B2B clients. Whenever your contact information includes personal data, you would need to follow the regulations relating to explicit – and recorded – consent to opt-in. This would extend to also include regulations regarding data protection.

If, however, your records only include generic contact information (a contact number or email address with no name attached) you don’t necessarily have to record explicit consent, but you must make it easy for the company or organization to opt-out, and keep a record of this.

Marketing

The GDPR is not a death knell for marketing, it is simply a way of regulating certain aspects of marketing. It doesn't kill off direct marketing, it merely hands control of direct marketing to individuals. This means that marketers now need to ensure that they have explicit consent from individuals to market to them directly (be it via phone calls, email campaigns, or even direct mailing). It means marketers now need to inform individuals:

  • Who will be marketing to them (company or organization name). If any third-party controllers will also be using the individual’s personal data, they too must be named.
  • How their personal information will be used, and what it will be used for.
  • That they can opt-out at any time, while also explaining the process for opting out.

Marketers also need to understand that blanket consent is no longer allowed. Under the GDPR, individuals give consent for a specific campaign or purpose, and should that campaign or purpose change, they need to give consent again. If your customer gives consent to receive marketing communications relating to your range of lawn furniture, you cannot suddenly switch to marketing your new range of bathroom products to them.

COMPANIES

What does the GDPR mean for companies?

Companies and organizations collecting and processing the personal data of individuals residing in the EU, regardless of the company’s physical location, need to be aware of the following:

  • The GDPR clearly defines different roles to controllers and processors. Data processors carry out the actual processing of personal data, while data controllers specify why and how personal data is processed. Data controllers are also responsible for ensuring that data processors adhere to all the requirements of the GDPR.
  • Some companies and organizations are required to also appoint a Data Protection Officer(DPO). The Article 29 Working Party has published separate guidelines on DPOs, along with some helpful FAQs.
  • Companies and organizations are required to obtain – and record – an individual’s explicit consent for the personal data to be stored and used. They also need to explain to the individual how the personal data will be used.
  • Data breaches that are likely to result in a risk to the rights and freedoms of individuals need to be reported to the relevant supervisory authority within 72-hours. When a data breach is likely to result in a high risk to the rights and freedoms of individuals, those affected need to be notified directly.
  • Individuals have the right to request a copy of their personal data and supplementary information, as processed by any company or organization. This allows individuals to be aware of, and to verify the lawfulness of the processing.
  • The GDPR provides individuals with a right to erasure, sometimes referred to as a right to be forgotten. The allows individuals to request the deletion or removal of their personal data where there is no valid or compelling reason for it to continue being processed. The right is not absolute, and companies and organizations can refuse to delete data under certain circumstances.
  • Data portability gives individuals the right to obtain and reuse their personal data across different services. This allows individuals to move, copy, or transfer their own personal data from one environment to another, for a number of reasons.
  • While privacy by design has always been an implicit requirement of data protection, under the GDPR, companies and organizations are now obliged to implement measures to integrate data protection with data processing activities.

USA

How will the GDPR affect US companies?

The GDPR applies to all companies and organizations collecting and processing the personal data of individuals residing in the EU, regardless of the company’s physical location. As such, US companies – and companies in other countries around the world – are still expected to comply with the new regulations if any of the personal data they collect and process is that of residents of an EU member state. This remains true even if the company does not have any physical presence in any EU member state. While the GDPR is unlikely to affect a small florist in Rock Springs, Wyoming, any business – US based, or other – collecting and processing personal data of EU residents will need to put measures in place in order to comply with the GDPR. This includes, amongst others, ensuring:

  • Explicit, recorded consent to collect and process the personal data of the individual.
  • Clear explanation of how and what the data the data will be used for.
  • Privacy by design, along with compliance relating to data breaches.
  • Support for data portability and right to erasure.
  • Compliance with the GDPR requirements for the use of personal data by third-parties.

Many businesses are used to using landing pages and newsletter subscription forms to build out their customer database. Under the GDPR, this will no longer be acceptable when it comes to the personal data of EU residents because blanket consent is no longer allowed. The GDPR only recognizes explicit consent being given for a specific purpose, which must be stated when the individual gives consent. If an EU resident signs up for your weekly email newsletter, they will be giving explicit consent to receive just that: a weekly email newsletter. You cannot later switch to sending them daily deals via email, because they did not consent to that. Whenever the purpose of collecting and processing personal data changes, new consent must be given.

Why is the GDPR good for business?

The GDPR brings with it opportunities for organizations to build greater trust with their customers, and this is always positive. For many organizations, it also brings with it an opportunity to clean up their marketing and sales databases, not only updating personal data, but also ensuring that it is now filled with individuals who are still active, and still interested in your products or services. It also brings with it the opportunity for organizations to look at how they collect and process data with fresh eyes, identifying new avenues for marketing and sales growth that never existed before, or were simply overlooked. But as with any new regulation, we will have to wait until it is enforced, and new case law established, to ascertain any true material impact on organizations, and individuals, and whether or not this will change over time.

Becoming Aware

The first step is fairly obvious and involves ensuring that all relevant employees and contractors are aware of the GDPR, and what is required of them and the organization in order to be compliant.

Becoming Accountable

Accountability starts with a full data audit, and depending on the size of your organization, and the amount of personal data you hold, a data audit will be one of the biggest tasks you need to accomplish ahead of GDPR enforcement. It is also one of the most important tasks.

Your data audit should see you compiling a full inventory of all personal data you hold, and answering the following questions in relation to each record:

  • How did you collect the personal data? Was it given to you by the individual, and if so, how? Or was it collected by other means?
  • Why did you originally collect the personal data? What was the original purpose? Was it through a newsletter signup, a request for more information on a specific product/service, through the individual creating an online account (either to shop online, or for some other purpose)?
  • Why are you still processing the data, and for how much longer will you continue processing it? If you no longer have a legitimate reason for processing, you shouldn’t be holding onto the data.
  • Is the data secure? This applies to both encryption, and to it only being accessible to people who understand the GDPR requirements for data processing.
  • Has the data ever been shared with any third-parties. If so, do you have evidence on record that they are compliant with the GDPR, and does the individual know that their data has been shared, with who, and for what purposes?

The GDPR doesn’t only require organizations to be able to demonstrate the ways in which they comply with data processing requirements, in many instances it requires documentation to support this. Again, the ICO website has a brief checklist helping organizations identify shortcomings in the way they ask for, record, and manage consent.

Communicating with Customers, Staff, and Service Users

Compliance with the GDPR will also depend on your organization updating all privacy notices, or adding privacy notices if they aren’t already in place. When considering or updating privacy notices, it is important to do a proper assessment of how you collect data, acknowledging that – in addition to traditional forms of data collection – this could now also be any one, or a combination, of the following:

  • observed, by tracking people online or by smart devices;
  • derived from combining other data sets; or
  • inferred by using algorithms to analyse a variety of data, such as social media, location data and records of purchases in order to profile people for example in terms of their credit risk, state of health or suitability for a job.

Privacy notices need to be concise, written in plain language, and easily accessible. The GDPR also expects organizations to include specific information in privacy notices, with slight variations depending on whether data is collected directly from individuals or not. The image below summarises this.

Privacy notices need to be concise, written in plain language, and easily accessible. The GDPR also expects organizations to include specific information in privacy notices, with slight variations depending on whether data is collected directly from individuals or not.