What is the EU GDPR and how can businesses comply?
The General Data Protection Regulations (GDPR) came into force in 2018, with the overarching aim to protect the data rights of people in the EU and allow for a free-flowing data ecosystem.
It is enforced by the Member State data protection authorities (DPAs) - in the UK, this is the Information Commissioner’s Office (ICO) - and higher authorities such as the Court of Justice of the European Union (CJEU) and the European Data Protection Board.
The main data protection principles are:
Lawfulness, fairness and transparency,
Purpose limitation,
Data minimisation,
Accuracy,
Storage limitation,
Integrity and confidentiality (security),
Accountability.
Consent is also a staple part of the GDPR, as data subjects must consent to their data being processed, as well as have the opportunity to revoke that consent. Organisations are responsible for being transparent in their data handling practices, and clearly conveying this in their Privacy Policy.
All of these principles provide requirements for data controllers and processors to handle data safely and securely and be transparent in how they collect, share and process data.
Who does the EU GDPR apply to?
The GDPR applies to data processors and controllers who process the data of EU citizens.
Data controllers have control over the reasons for data collection and the means of processing it. This could be a private company, a legal entity, or an individual person. There may also be joint controllers of data.
Under GDPR, the heaviest burden of data responsibility is on the data controller who must ensure full compliance with all the data principles. It is also on them to ensure any processors they use comply with the data principles.
Accounting for the purpose, nature, context and scope of data processing,
Considering the likelihood and severity of potential risks to the freedoms and rights of natural persons, and
Implementing appropriate organisational and technical measures, updating them where necessary.
Data processors act on behalf of the controller. They process data at the request and instruction of the controller.
However, data processors must also ensure they act in accordance with GDPR and have relevant organisational and technical measures in place.
The GDPR does not apply to data processing:
By people in the course of personal activity (e.g. keeping an address book for your personal use),
In the course of activities falling outside the scope of Union law (e.g. national security),
By the Member States carrying out certain specific activities,
By authorities for the purposes of crime prevention and detection, including safeguarding against public threats.
As the legislation is extraterritorial, it does not matter where the data is processed, provided it is the data of citizens within the EU or collected in the EU. For example, an organisation in Canada that has a customer base in France would be subject to the GDPR and penalised for breaches.
What types of data fall under GDPR?
GDPR’s remit covers “personal data” - this is information relating to an identified or identifiable natural person, or information that can be used to identify a natural person by reference to certain identifiable characteristics. For example, names, location data, online identifiers, or other factors specific to the physical, genetic, economic, cultural or social characteristics of that person.
It also covers a different category of personal data - sensitive data. This data relates to ethnic, racial, political, religious, genetic, biometric, children’s and health-related data. Essentially, special category data. This requires extra protection due to its nature and requires a lawful basis for processing. Oftentimes, this will also require meeting additional conditions and safeguards.
The difference between pseudonymisation and anonymisation
One important takeaway from GDPR is that once data is rendered “anonymised”, it is no longer considered personal data, and so falls outside the remit of GDPR.
Data is anonymised when all direct and indirect identifiers relating to individuals are removed. Most times, this is an irreversible process - this means people are unidentifiable via the data. As a result, it is no longer a privacy risk and can be processed how the organisation wishes, including for analytics.
Pseudonymised data is data that cannot be attributed to a data subject without additional information - provided the information is kept separately and subject to technical and organisational measures. For example, if an organisation encrypts data and has the ability to de-encrypt it and the decryption keys, this is a form of data pseudonymisation.
While pseudonymisation can be a useful tool to improve privacy and minimise data, pseudonymised data is still considered personal data under GDPR and requires the same safeguards and legal grounds for processing. This is because the information can still be used to identify a data subject.
What happens if we breach EU GDPR?
Breaches will be examined by the relevant DPAs who consider the type of infraction, whether it was deliberate, its severity, and other factors. DPAs can enforce warnings, rectification orders, and temporary or permanent bans on data processing. If none of these are applied, the relevant DPA can also issue the organisation with a fine.
Under GDPR, the maximum fine received is €20 million or 4% of annual global turnover - whichever is higher.
While not all infractions of GDPR mean a fine, should you receive one, they can be incredibly expensive, especially for smaller businesses.
Avoiding GDPR fines is beneficial from both a financial and a reputational perspective, as consumers are increasingly dismayed by organisations with poor data handling practices. Organisations are best placed to have a data protection officer (DPO) to oversee data handling processes and ensure they are GDPR compliant.
If you are in the UK or if you process the data of UK residents, it is also important to know the differences between EU GDPR and UK GDPR and implement these rules correctly.
Following the UK’s exit from the European Union, UK GDPR is now the main data privacy legislation in the UK, alongside the Data Protection Act 2018. As the UK looks to further establish its own sovereign data protection regime, we may see upcoming changes in UK GDPR, or even a complete replacement of the Act. However, it is still important for businesses to familiarise themselves with the legislation and ensure they have the correct mechanisms and safeguards in place.