What is the General Data Protection Regulation (GDPR)?

The GDPR is a European-wide regulation that comes into force on 25 May 2018. The legislation is designed to protect people’s personal data from being stolen or exploited by companies.

Central to the new regulation is the idea of keeping people’s personal data safe and accurate, obtaining consent to collect it, and having a business purpose to hold on to it. Current data-protection legislation goes some way towards this, but the GDPR goes further.

See our guide on how to improve your GDPR compliance for more practical advice, or read on for a general overview of the GDPR and what constitutes personal data.

What is personal data?

Personal data is any information that can be used to identify an individual, such as name, postal address, email address, date of birth, gender, National Insurance number, NHS number, bank details, credit card details and so on. Often it is information that will be collected as part of marketing activity, or held about customers that you’ve worked with.

Some personal data is classified as sensitive, and requires particularly careful handling. This includes data on an individual’s ethnicity, religion, political affiliation, sexual orientation, trade union membership, previous criminal convictions, biometric data (such as fingerprints or eye scans), physical or mental health.

The GDPR broadens out the definition of personal data from the existing Data Protection Act. It now includes almost any information that can be used to identify an individual when combined with other elements of personal data. For example, items such as IP addresses (for individual computers) or physical records, such as business cards, record cards and manual filing systems, can now be classed as personal data. Also, businesses that use fingerprint recognition to gain access to a building or a locker (as in a gym) will also be subject to the regulations.

Why does any of this matter?

There are large fines for failing to comply with the collection and management of data as specified by the GDPR. The most serious cases can incur fines of up to 4% of global turnover or €20m , whichever is bigger.

Will this still apply after Brexit?

Yes. Brexit will not stop UK businesses having to comply with the new regulations – the UK will still be part of the EU when they come into force in May 2018. The GDPR will continue to apply until it is specifically repealed or overtaken by new legislation.

What are the new areas of regulation?

Accountability

The GDPR contains a principle of accountability for all businesses that collect personal data (controllers) and process it (processors). Your business is accountable for the data it collects and processes.

In practice, this means you must provide evidence of complying with the GDPR in the form of documented policies and procedures to deal with collecting and processing personal data.

You will need to document what personal data you hold, what you do with it, and if you share it with any other organisations: who, what and why.

Your business will be held responsible for the accuracy of the data you hold. This means checking that it’s up to date. If you share data and it turns out to be inaccurate, it’s up to you to contact other organisations you shared it with, to get it updated

Breach notification

Under GDPR, you must report any significant personal-data breaches within 72 hours of their discovery to the relevant authority – in the UK, that’s the Information Commissioner’s Office (ICO). In the most serious cases you must report it to the individuals concerned too.

The ICO defines a personal data breach as ‘a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.' This means that a breach is more than just losing personal data.

Collecting data and privacy notices

Under current legislation, before you collect any personal data, you need to give your customers information about:

• who you are
• why you are collecting their data
• how you will use this information
• whether you will share it with any third parties.

This information is usually shared in a privacy notice, which often takes the form of a few lines of text near a tick box, to allow customers to give their consent.

Under the GDPR you will need to update your privacy notice. As well as the existing points, you will need to explain:

• your lawful basis for processing the data
• for how long you will keep the data
• the individual’s right to complain to the ICO if they think there’s a problem with how you’re handling their data.

The GDPR emphasises the need for clear, transparent communication. It says the information you supply about the processing of personal data must be:

• concise, transparent, intelligible and easily accessible
• written in clear and plain language, particularly if addressed to a child
• free of charge.

Data transfer

The GDPR imposes restrictions on transferring data outside the EU. Even if you think this doesn’t apply to you, be careful - if you store data with a third-party company and it has servers outside the EU, then you would be in breach of the GDPR if it moved personal data you collect to those servers.

Individuals’ rights

Many of the individuals’ rights are similar to the current Data Protection Act. People have the right to request access to any personal data you hold on them, under a subject access request. Under the GDPR you must provide this free of charge, as long as it is a ‘reasonable’ request i.e. not one that has been made repeatedly and not for volumes of information that it would be impossible to produce within the time allowed. The deadline to provide the information has also been reduced to 30 days.

Individuals are allowed to object to how you use their data. If you process data for direct marketing, you must stop using the person’s data as soon as you receive an objection, until either the objection is resolved or the data is removed.

People have the right to request that you delete their personal data if:

• it’s no longer needed for the purpose it was originally collected or processed
• they withdraw consent
• they formally object to its being used and there’s no overriding legitimate reason to continue using it
• it was processed unlawfully (in breach of the GDPR)
• there is a legal need to erase it.

What does my business need to do to prepare?

1. Identify where, and on what systems, your business holds personal data

It’s likely you hold data in different areas. For example, if you have employees, you’re likely to hold personal data on all of them – bank details, names, addresses, marital status, next of kin, date of birth, and so on.

You may also have customer records, credit card details on file, databases of potential sales, information about previous members of staff – the list goes on. Undertaking an audit on all these systems and information should let you know what data you’ve got, and where you’re storing it. 

2. Remove any unnecessary data, and take steps to protect what’s left

As part of the new regulation, you need to have a business reason to hold on to personal data. If there is no current reason, delete it.

Ensure any personal data you do need to keep is stored securely. If possible, encrypt or anonymise data to avoid identifying individuals, as this helps protect against breach or misuse.

3. Update your privacy notice    

Your privacy notice needs to cover:

• who you are
• what you are collecting and on what legal basis
• what you will do with the data
• how long you will hold it
• individuals’ right to object to the ICO.

4. Ensure your processes cover individuals’ rights

Have a process in place to deal with subject access requests, objections or erasure requests. How would your business locate data on an individual if they asked for it? What would you do if someone objected to your using their data for marketing? Would your systems be able to find and delete specific data if necessary?

5. Identify the lawful basis for collecting data

You may well not have considered this in the past, but you will need to demonstrate that there is a lawful basis for collecting personal data under the GDPR.

6. Ensure your process for obtaining consent meets the GDPR standard

The standards are higher for getting consent to obtain or process data under the GDPR. The rules state that consent must be ‘specific, granular, clear, prominent, opt-in, documented and easily withdrawn’.

This means you must let customers know precisely what you are collecting and for what purpose, inform them how they can withdraw their consent, and ensure they actively agree to data collection. Vague definitions or agreements are not good enough. For example, you cannot pre-tick boxes online that give consent. You can find more detailed information on the ICO's website.

7. Get a process in place to deal with data breach

You need to create a procedure for what to do in the event of a data breach. How would you identify the breach? Who would you contact? How would you try to contain the breach? Who would you report it to, and how would that work? How could you learn from any breach to ensure that it wouldn’t happen again?

Where can I find more information?

The ICO is responsible for helping organisations prepare for the GDPR. It has a range of articles and information online to help businesses in the run-up to the May 2018 deadline.

The government’s Cyber Essentials scheme on Cyber Streetwise has information about how to protect your business from cyber attack.

More on this…

• Tips to protect your business from cyber attack
• More about technology to help your business
• How technological change could affect your business