The EU's General Data Protection Regulation (GDPR) is the result of four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used.
Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive, but this will be superseded by the new legislation. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
Why was the GDPR drafted?
The drivers behind the GDPR are twofold. Firstly, the EU wants to give people more control over how their personal data is used, bearing in mind that many companies like Facebook and Google swap access to people's data for use of their services. The current legislation was enacted before the internet and cloud technology created new ways of exploiting data, and the GDPR seeks to address that. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy.
Secondly, the EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market (the EU estimates this will save businesses a collective €2.3 billion a year).
When will the GDPR apply?
The GDPR will apply in all EU member states from 25th May 2018. Because GDPR is a regulation, not a directive, the UK does not need to draw up new legislation - instead, it will apply automatically. While it came into force on 24th May 2016, after all parts of the EU agreed to the final text, businesses and organisations have until 25th May 2018 until the law actually applies to them.
So who does the GDPR apply to?
'Controllers' and 'processors' of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-making company to a charity or government. A processor could be an IT firm doing the actual data processing.
Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they're dealing with data belonging to EU residents.
It is the controller's responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
When can you process data under the GDPR?
Once the legislation comes into effect, controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
What is meant by 'lawful'?
'Lawfully' has a range of alternative meanings, not all of which need apply. Firstly, it could be lawful if the subject has consented to their data being processed. Alternatively, lawful can mean to comply with a contract or legal obligation; to protect an interest that is "essential for the life of" the subject. If processing the data is in the public interest; or if doing so is in the controller's legitimate interest - such as preventing fraud.
At least one of these justifications must apply in order to process data.
How do you get consent under the GDPR?
Consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs.
Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want. If your current model for obtaining consent doesn't meet these new rules, you'll have to bring it up to scratch or stop collecting data under that model when the GDPR applies in 2018.
What data counts as personal data under the GDPR?
The EU has substantially expanded the definition of personal data under the GDPR. To reflect the types of data organisations now collect about people, online identifiers such as IP addresses now qualify as personal data. Other data, like economic, cultural or mental health information, are also considered personally identifiable information.
Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.
Anything that counted as personal data under the Data Protection Act also qualifies as personal data under the GDPR.
What is Pseudonymisation?
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific visitor without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
When can people access the data you store about them?
People can ask for access at "reasonable intervals", and controllers must generally respond within one month. The GDPR requires that controllers and processors must be transparent about how they collect data, what they do with it, and how they process it and must be clear (using plain language) in explaining these things to people.
People have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it's stored for, and who gets to see it. Where possible, data controllers should provide secure, direct access for people to review what information a controller stores about them.
They can also ask for that data, if incorrect or incomplete, to be rectified whenever they want.
What's the 'Right to be forgotten'?
Individuals also have the right to demand that their data is deleted if it's no longer necessary for the purpose for which it was collected. This is known as the 'right to be forgotten'. Under this rule, they can also demand that their data is erased if they've withdrawn their consent for their data to be collected, or object to the way it is being processed.
The controller is responsible for telling other organisations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.
What if a person or persons want to move their data elsewhere?
Controllers must now store people's information in commonly used formats (like CSV files), so that they can move a person's data to another organisation (free of charge) if the person requests it. Controllers must do this within one month of the request.
What if you suffer a data breach?
It's your responsibility to inform your data protection authority of any data breach that risks people's rights and freedoms within 72 hours of your organisation becoming aware of it. The UK authority is the Information Commissioner's Office.
The deadline is tight so you probably won't know every detail of a breach after discovering it. However, your initial contact with your data protection authority should outline the nature of the data that's affected, roughly how many people are impacted, what the consequences could mean for them, and what measures you've already actioned or plan to action in response.
Before you call the data protection authority, you should tell the people affected by the data breach. Those who fail to meet the 72-hour deadline could face a penalty of up to 2% of their annual worldwide revenue, or €10 million, whichever is higher.
If you don't follow the basic principles for processing data, such as having a legal basis for doing so, ignore individuals' rights over their data, or transfer data to another country, the fines are even worse. Your data protection authority could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is greater.
However, it's important to note that while the maximum fines that can be issued will become much higher under GDPR, the legislation stipulates that they must remain "proportionate" to the breach. Also, if you can demonstrate that you work hard to ensure your organisation is compliant with GDPR, the ICO would likely not issue as high a fine in the event of a breach as it would otherwise.
How will Brexit affect the UK?
Yes, the UK is leaving the EU – but because the UK government only triggered Article 50 in March 2017, which sets in motion the act of leaving the EU within a two-year timeframe (though it could take longer), this means GDPR will take effect before the legal consequences of the Brexit vote, meaning the UK must still comply.
A new Data Protection Bill, put forward by the UK government in August 2017, essentially replicates the requirements of GDPR into UK legislation, meaning those compliant with GDPR should be compliant with the new UK data protection law.
Much like the stipulations of GDPR, the bill sets out sanctions for non-compliant organisations, permitting the Information Commissioner's Office (ICO) to issue fines of up to £17 million, or 4% of global turnover, whichever is highest (compared to €20 million or 4% of turnover under GDPR).
It also provides provisions for the right to be forgotten, adding the ability for data subjects to demand social media companies erase any posts they made during childhood, a good opportunity for embarrassed adults to delete things they said in their teenage years.
The bill also proposes to modernise current data protection regulations by expanding the definition of personal data to include IP addresses, internet cookies, and DNA.
By aligning with GDPR, the UK hopes to build an enhanced data protection mechanism that goes beyond the adequacy model the EU imposes on 'third' countries, allowing personal data to flow freely between the UK and EU.
The government is already working on a new Data Protection Bill that effectively replicates GDPR into UK law, and David said such a step is crucial for the UK's economic success.
Is the Investigatory Powers Act compatible with GDPR?
What's unclear is whether other new legislation will be deemed compatible with GDPR once the UK leaves the EU. For example, under the UK's Investigatory Powers Act, ISPs are compelled to collect personal web histories and hold them for up to 12 months. The government is currently having to rewrite some of these laws after identical powers in old DRIPA legislation were found to be illegal.
But Hancock wrote in October 2017 that "UK national security legislation should not present a significant obstacle to data protection negotiations."