GDPR – What is it all about?
General Data Protection Regulations will drastically change the way businesses can collect, store and protect the personal information of their customers, clients, and even visitors to a website.
GDPR defines personal data as anything that can be used to directly or indirectly identify the person. Names, photos, email addresses, bank details, posts on social networking websites, medical information or IP addresses.
It is a Europe-wide set of data protection laws designed to harmonise data privacy practice across Europe. The emphasis is on protecting citizens and their data, and giving users more information about and control over how it’s used. The new regulations will come into force by May 2018.
It should be noted that whilst aspects of the GDPR are new, many of the requirements build upon the existing Data Protection legislative framework.
This means it will cover all of our personal information collected and used by businesses.
CONSUMER ESSENTIALS – before you give YOUR information look for the PRIVACY NOTICE – businesses must be able to tell you about why and how they intend to use your information. Plus, you will be expected to ‘CONSENT’ to the use of your information. In terms of consent, consent is one of a number of lawful bases for processing and it may be that organisations do not always need consent to process consumer’s data. In cases where they rely on consent, then that consent will need to be a positive, affirmative and unambiguous action confirming consent on the part of the consumer.
The law gives all of us INDIVIDUAL RIGHTS in relation to our personal information and these are detailed below.
Businesses failing to look after our personal information according to the law face a tougher ENFORCEMENT approach by the Data Protection Authority. See below.
Empowering individuals by being transparent and clear about how their data are going to be processed, and by whom, is a key element of compliance with the GDPR. At every point at which personal data are collected, whether that is from your clients, staff or others, review how you intend to provide the following at the time of collection:
- Purpose of and legal basis for processing;
- Recipients of the data;
- Any third countries data are transferred to and safeguards in place;
- Data retention periods;
- The existence of individual’s rights;
- Right to withdraw consent where provided;
- Data Protection Officer’s contact details;
- Whether data provision has statutory or contractual basis;
- Details where the legitimate interest condition has been relied upon
The GDPR considers consent an important part of ensuring individuals have control and an understanding of how their data are to be processed.
- Consent must be:
- Freely given
- There has to be a positive indication of agreement.
- Consent as a basis for processing gives individuals stronger rights.
- Data controllers must be able to evidence consent was given.
- Parental consent to process children’s† data on the internet. With regards to children’s consent, this is only required for ‘information society services’ (i.e. paid for internet services) and our law says parental consent is required for a child under 13 years, unless the data has been pseudonymised i.e. meaning that for example a name is replaced with a unique number to render the data record less identifying.
† the legal definition of a child will be determined at the law drafting stage with the upper age limit required to be within the range of 13-16 years
Individual’s rights are enhanced and extended in a number of important areas. They include:
- A right of access to data (Subject Access);
- A right for the correction of data where inaccuracies have been identified;
- A right to require the erasure of personal data, in certain circumstances (often referred to as the ‘right to be forgotten’);
- A right to prevent direct marketing;
- Control over automated decision making & profiling;
- A right to data portability between controllers
Penalties and Data Breaches
The GDPR provides for a tougher enforcement approach by the Data Protection Authority including the ability to impose significant fines.
- Data breaches must be reported to Data Protection Authority within 72 hours of discovery
- Individuals impacted should be told where there exists a high risk to their rights and freedoms e.g. identity theft, personal safety
- Fines can be issued up to €10 million under the Jersey Law
- Data Protection Authority can issue reprimands, warnings and bans as well as fines.
For more information please see;