GDPR has become an acronym recognised by us all. But do you know what it really means? Well, neither did I. That is, until recent.
Cambridge Analytica Scandal
In early 2018, a data analytics firm Cambridge Analytica was revealed as having used personal data from more than 50 million Facebook users without their permission to create a digital method; politically targeting voters based on their profiles. Around the same time, a pro-Brexit whistle-blower named Shahmir Sanni claimed a firm linked to Cambridge Analytica received a healthy sum of £625,000 from the Vote Leave campaign. Sanni claims to have passed on this information to the Electoral Commission as it is feared some similar tactics may have been used in the lead up to the EU referendum.
General Data Protection Regulations
GDPR stands for General Data Protection Regulations. The GDPR went into effect 25th May 2018. It is a set of European Union (EU) regulations that applies to the UK, alongside the new Data Protection Act 2018.
In a nutshell, the regulation applies to every organisation that controls and processes personal data to ensure that the personal data of individuals is controlled and processed lawfully. As well as this, individuals’ rights include periodic access to their data and exercising the right to be forgotten.
Control & process
The control and process of data is generally undertaken by organisations who obtain and store data. Although there are different specific legal obligations for data controllers (who have access to personal data) and data processors (who process the data on behalf of the data controller), both must comply with the regulations.
The regulations do not apply to some activities such as processing for national security purposes and for personal/household activities.
For the purposes of the GDPR, personal data means data that is obtained or processed, wholly or partly, by automated means which is in turn part of a greater logging system. Personal data is information about citizens that can be used to identify people or, can be used in conjunction with other information to identify others.
Common examples of Personal Data are included as part of a list within the regulations such as name, ID number, economic information and location data including IP address and cookie identifiers.
Article 5(1) of the GDPR states
“Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”
This means that that to acquire the data, the organisation must first acquire the explicit consent of the individual in a fair way (i.e. not through duress or misguidance) and be transparent in explaining the purposes for which the data will be held and used.
Article 6 of the GDPR sets out the six bases for processing personal data. At least one of these six bases must apply for data processing to be lawful. The bases have been explained below.
Clear consent by an individual has been received for processing their data. The consent must be active rather than passive.
The processing is necessary to uphold a contractual obligation.
· Legal Obligation
The processing is necessary to comply with a legal obligation (as opposed to a contractual one).
· Vital interests
The processing is necessary because it is life saving.
· Public task
The processing is necessary as part of a public interest.
· Legitimate interests
The processing is necessary to pursue legitimate interests of a data controller or a third-party organisation provided that the fundamental rights of the individual are not overriding.
Many of the six bases refer to the processing as being necessary. This means it must be a targeted and proportionate way of attaining the data. The lawful basis does not apply if the data can be reasonably obtained by another, less intrusive method.
The GDPR are essentially a way of giving EU citizens more control of their data. This includes the right to access their data at reasonable intervals and the right to be informed about the purpose and process by which the data shall be handled. Organisations are advised to use clear and transparent language when making this information known. Importantly, the GDPR also includes the “right to be forgotten” where individuals can withdraw consent for their data to be stored and/or processed and organisations should comply accordingly, by removing the data of the individual.
There are serious fines for data breaches under the GDPR. Organisations could face fines of 2% of their annual turnover or 10 million euros for the failure to report a data breach to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach.
A breach of personal data usage could result in a fine of the higher of; 4% of the annual turnover of the organisation or 20 million euros.
Even though the ICO has stated it sees the fines as a last resort, the fines are hefty and undoubtedly, all organisations will want to avoid them.
So, is your organisation GDPR compliant?