GDPR Basics: Our Guide To Understanding And Complying With The GDPR
The General Data Protection Regulation (GDPR) is about to come into force, are you ready for it?
The (GDPR) was adopted by the European Union (including the UK) in April 2016 and will apply from the 25th May 2018. This regulation extends the data rights of individuals and requires organisations to develop clear policies to protect personal data and adopt appropriate technical and organisational measures. Fines for non-compliance can go up to 20 million Euros or 4% of group worldwide turnover (whichever is greater).
Despite the high stakes, data shows that 84% of SME’s are still unaware of these new regulations.
So what are you waiting for: have a read of our GDPR compliance guide.
The Main Data Types And How They Can Be Useful To Your Business
Personal data has been defined by the Data Protections Act (DPA) as any data “relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller”. Although it may prove to be extremely useful for company purposes, this form of data is to be strictly held under compliance with the eight principles for good handling of personal data outlined by the 1998 DPA. Personal data includes things such as names, citizenship, address, spouse information, national insurance numbers, card details, phone numbers.
Does the GDPR apply: Yes
Big data describes both structured and unstructured volumes of data: the data is typically so large that it presents logistical challenges in its management. In 2001, industry analyst Doug Laney said the term big data as being characterised by the three v’s: volume, velocity, and variety. Volume as the data is large and has many sources, velocity because data streams at a fast speed and variety because big data is presented in many formats. Big data can prove essential for your business because many results can be drawn from it: it can help determine the root cause of failures, recalculate risk in short time, detect fraudulent behaviour and much more.
Does the GDPR apply: Yes
Whilst big data is defined by its size, open data is determined by its use. Open data is available to access, use and share to anyone with no restrictions or mechanisms of control. This data can prove extremely useful because people, companies and organisations can make data-driven decisions and develop resources to improve their communities. Transport for London, for example, has seen a 58:1 return on investment by releasing open transport data and by creating open data-driven services such as city mapper.
Does the GDPR apply: yes
Open Government Data
Open government data is a subsection within open data. The key defining element is that it is the open data which comes specifically from the government. This information is essential for businesses as it is within the realm of open data, allowing individuals to make use of it for research; but it is also useful to hold the government accountable and transparent
Does the GDPR apply: yes
Grey data is the form of unstructured data that is considered “valueless” to the company. This can be present in the form of archived emails, attachments, employee work files, system generated files and more. The GGOC survey in 2012 showed that on the average, 1% of organisational data is subject to a litigation hold, 5% is subject to regulatory retention and 25% had some business value. Implying that 69% of business data is ‘grey’ and therefore has no business value but is kept by the company for unknown reasons.
Does the GDPR apply: yes
Pseudonymised data takes elements of personal data and replaces them with artificial identifiers. The purpose is to render the data record less identifying and therefore reduce concerns with data sharing. The difference between pseudonymised and anonymised data is that the pseudonym allows tracking back of data to its origins, meaning the subjects could be eventually identified again.
Does the GDPR apply: If the data necessary to re-identify the individuals is destroyed the GDPR does not apply, if the company retains the data to identify the individuals then the GDPR applies.
Anonymised data is data held in a form that does not identify individuals. Data is said to have been ‘anonymised’ when there are 3-5 people to whom the information could refer. The GDPR also states that anonymised data is not personal data and thus does not need to comply with the data protection principles set out by the GDPR.
Does the GDPR apply: no
What the GDPR wants from your Business:
Essentially, the GDPR’s scope is to create a human right to privacy for EEA citizens. To do this, it has put in place many requirements that also request grey data disposal and company awareness to personal data.
The GDPR requests that:
- The consent for data must be in an active form and can only be given by someone above the age of 16. Consent cannot be bundled with terms and conditions but it must be a separate precondition. Companies are also no longer entitled to bribe users for their personal data such as: “provide us with your email address to download this ebook”.
- Datasets containing personal data can only be published as open data by controllers or processors with the consent of the data subject or on some other legitimate basis (for example, compliance with legal obligations under article 6).
- The data GDPR data can only be transferred to a country that is also subject to the GDPR unless that receiving country has been deemed to have equal or better data protection laws in place.
- In the event of a data breach, data processors must notify their controllers and customers of the source, risks, and solution within 72 hours.
- The data subjects have the right to access how their data is being used by the data controller.
- When the data is no longer relevant to its original purpose, data subjects can have the data controller erase their data. Individuals have the right to have the data erased when they withdraw consent or when it is no longer necessary for the purpose it was originally collected for.
How Can You Comply With The GDPR?
The GDPR will require companies to undertake data flow mapping exercises. Data flow is the transfer of information from one location to another. It wants you to walk the information lifecycle to identify unforeseen or unintended uses of the data and ensure the people working with the data are consulted on the implications of this. The data is also to be immediately destroyed after having used it, meaning that most grey data will be eliminated.
Questions you should be asking in your data flow mapping exercises:
- How is personal data collected?
- Who is accountable for that personal data?
- What is the location of the systems containing the data? (Cloud? Offices? Third party?)
- Who has access to the information? (Employees? Consultants? Clients? Partners?)
- Does the system interface with or transfer it to other systems? (Internal? Post? Telephone? Data sharing? Social media?)
Still a bit confused by the GDPR? Well, stay tuned for our next industry-specific posts on what you should watch out for or read more in here.
Build A Solid Legal Foundation In Your Business
Get in touch with us today and we’ll connect you with lawyers that specialise in business law and can help you build a solid legal foundation in your business. If you need any legal advice at a great price then book a free Startup Legal Session.