What Does GDPR Mean For You?

The EU’s General Data Protection Regulation (GDPR) comes into effect in 2018. Many people are confused about what (if any) changes will happen as a result. I’ve outlined a few of the key difference between the Data Protection Act (DPA) and GDPR for you.

Penalties

The maximum fine for DPA non-compliance is £500,000 or 1{cae46e7993c4999f200af9814ce4e65a37fd1ff57f0d8a6946b53fc261028869} of annual turnover.

GDPR is far more severe with the maximum penalties at €20 million or 4{cae46e7993c4999f200af9814ce4e65a37fd1ff57f0d8a6946b53fc261028869} of annual “global” turnover.

Data Protection Officer (DPO)

GDPR will require certain businesses to hire or appoint a DPO to ensure compliance.

DPO’s will be required if you:

  • Are a public authority (except for courts acting in their judicial capacity)
  • Carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking)
  • Carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.

There is no equivalent requirement under DPA.

Data Breaches

DPA encourage businesses to report data breaches but they aren’t obligated to do so.

GDPR require breaches that are “a risk to the rights and freedoms of individuals” to be reported to the relevant supervisory authority within 72 hours. If the risk to the individual is high they must be notified directly.

Data Removal

DPA grants individuals “the right to erasure” if processing causes unwarranted and substantial damage or distress.

GDPR flips the tables only blocking the right to erasure when the data is:

  • to exercise the right of freedom of expression and information
  • to comply with a legal obligation or for the performance of a public interest task or exercise of official authority
  • for public health purposes in the public interest
  • for archiving purposes in the public interest, scientific research historical research or statistical purposes
  • the exercise or defence of legal claims

Extra protection is granted to children in these instances who may not be fully aware of the risks involved.

Privacy Impact Assessment (PIA)

The DPA uses these to champion “privacy by design”, in an effort to make data more secure and reduce cases of non-compliance. They encourage businesses to carry out a PIA whenever data handling protocols change. However, there is no legal requirement for them to be carried out.

GDPR will make DPIAs (data privacy impact assessment) mandatory when processing is likely to result in a high risk to the rights and freedoms of individuals.

Opt-Ins

Currently, customers and prospects must have the ability to opt-out of communications. Opt-ins were required for marketing broadcasts however the “soft opt-in” option meant that if you got data through customer interaction it showed an interest in your business and could be used for marketing without explicit consent, provided they could easily opt-out.

GDPR states that consent must be freely given, specific, informed and unambiguous. If you get their card you can’t assume they want marketing updates. If they fill in a form online an opt-in box cannot be checked by default.

There must be some form of clear affirmative action, consent cannot be inferred in any way, effectively ending “soft opt-ins”.

The changes are not too drastic a shift from the DPA, however, the consequences for non-compliance are steep. I recommend having a look at the Information Commissioner’s Office (ICO) website to check anything you are unsure of.

There is a lot of misinformation being spread online so I’d also recommend only using trusted sources, if you’re in any doubt you can refer to the GDPR PDF courtesy of the European Parliament.