The General Data Protection Regulation, or GDPR as it is more commonly known, is a new piece of data protection legislation coming into United Kingdom law on 25th May 2018. It seeks to build upon the current Data Protection Act (DPA), by implementing stricter rules and regulations on what is and is not permitted when processing personal data. Applicable to all businesses in the United Kingdom, as well as the European Union, in this blog post we take a closer look at the new regulations coming into force.
What is the history of GDPR?
In January 2012, the European Commission released the first proposal for the General Data Protection Regulation (GDPR). After three years of negotiation and changes, a final document was agreed in April 2016. Subsequently, a two year transition period was decided on, with the provisions of the legislation set to become legally applicable to all member states two years later: 25th May 2018.
Significant speculation that the new legislation would not take effect on United Kingdom law followed the result of the European Union Referendum on 23rd June 2016. However, this speculation was unfounded when the government declared that General Data Protection Regulation (GDPR) would be adopted regardless of Brexit. Many reasons were given for this decision, including that it would become harder to trade and do business with European Union based businesses, should United Kingdom data protection laws be different, and in particular, less stringent.
Why is GDPR needed?
With the original Data Protection Act (DPA) of 1998 still covering the United Kingdom and the Data Protection Directive of 1995 covering the rest of the European Union, the need for an updated data protection legislation is overwhelming. Clearly, the internet and technology in general has moved on significantly during the last twenty years, and this has created a significant change in how personal data is collected, stored and processed. As such, historic data protection regulations simply no longer do enough to protect individuals personal data, and an overhaul has been a long time coming, as well as needed.
What are the main points of GDPR?
With eleven chapters and ninety nine articles, the General Data Protection Regulation (GDPR) is an extensive document. As such, the only way to truly understand and realise the full requirements for compliance is to read through the document in full. If you wish to do so, you can find the document here. However, for the purposes of a brief overview, the core principles of processing personal data can be considered. These are six rules that all organisations must follow when processing personal data.
The General Data Protection Regulation states, personal data must be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
What happens if I do not comply with GDPR?
Put simply, General Data Protection Regulation (GDPR) compliance is not optional. Once 25th May 2018 is reached, the legislation will become enforced United Kingdom law, and all businesses shall carry the legal obligation to comply. Administrative fines will be the most common penalty for non-compliance, which can reach up to to four percent of annual global turnover or twenty million euros, whichever is larger. The Information Commissioner’s Office, who maintain the enforcement of the General Data Protection Regulation (GDPR) in the United Kingdom, also have a range of government backed corrective powers, including the ability to issue warnings or reprimands, the power to put into place temporary or permanent bans on data processing, and the right to order the seizure or erasure of data.
What are BlueFrog Media doing to become GDPR compliant?
We are fully committed to complying with the General Data Protection Regulation (GDPR), and believe in all of its principles. We have already taken a number of steps to ensure that we are compliant with the new legislation, and are continuing to work tirelessly to ensure we adhere to it. We are also working closely with a leading cyber security firm, as well as a solicitors that specialise in data protection law, to ensure that we are fully compliant throughout our business. If you would like more information on the steps we have taken so far, as well as what we plan to do, please do not hesitate to contact us and we will be happy to outline our GDPR compliance journey for you. We would also be more than happy to put you in touch with the parties who are assisting us in our General Data Protection Regulation (GDPR) compliance efforts should you be interested their services.
BlueFrog Media are not a solicitors or data protection consultancy, and no action should be taken on the basis of this article without prior consultation with a legal professional. This article does not constitute legal advice, and BlueFrog Media are not liable for any of its content.