GDPR: Everything you need to know
A bluffer’s guide to the General Data Protection Regulation, in force from May 25th
After the GDPR comes in, individuals will be able to seek compensation through the courts for breaches of their data-privacy rights – even if they haven’t suffered material damage or financial loss. Photograph: Getty Images
We need to talk about that little event that’s happening on May 25th.
Great! Oh, wait. Is that the time? I’ve just realised I have a thing . . .
No, not that one. I’m talking about GDPR, the new set of data regulations which comes into effect next Friday, and about which you – and a significant proportion of the rest of the population – have probably been burying your head in the sand.
Oh, that. You mean 2018’s answer to the Y2K bug, right?
Unfortunately not. Unlike the apocalyptic warnings about whether the Y2K bug might wreak havoc on IT systems, it’s not a question of whether it will happen, or what the scale might be. It is happening – and it’s not just a one-day event either. May 25th is just the starting point.
Okay, give me the elevator pitch. What do I need to know?
Right, so the GDPR (General Data Protection Regulation) is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. It comes into force on May 25th, giving individuals more control over how our data is used, and putting more responsibility on businesses who use it.
If they haven’t already done so, businesses should be developing their data-protection policies and procedures, training staff, and ensuring any changes to how they handle personal information are properly assessed against the regulations that are in place.
In essence, they should be taking a hard look at the data they’re holding, how they collected it, and whether they need to hold on to it – and if they do, how long is it reasonable to do so. Some will want to appoint a data-protection officer (DPO). Alan Mac Kenna, DPO with Fort Privacy, describes it as like “health and safety for data”.
They could have given us some notice . . .
Um, they did? According to Mac Kenna, it’s “something that has been in the rear-view mirror since it was first proposed back in 2012”. The approach to data protection across the EU has until now been largely fragmented. The GDPR builds on previous legislation, and attempts to harmonise privacy protections across the EU. It has been well mooted, but even so, the GDPR has been a rude awakening to people who’ve only just realised they don’t own the data they’ve collected from individuals over the years.
Wait. Is that why I’ve been getting all that spam email this week from a company I once bought a barbecue pizza oven from?
Yes, that’ll be the GDPR. But it’s not actually spam. This is about companies getting their house in order and giving individuals greater control over their data. As Mac Kenna points out, if companies had valid “consent” in the first place they wouldn’t need to ask.
So it’s a headache for businesses. But it doesn’t have any real bearing on the rest of us?
It certainly does – and it’s almost all good news. Organisations must now tell us clearly, and in understandable English, how they intend to use and protect our data. In other words, companies can no longer decide that just because you once ticked a box on a form you have consented to them holding onto everything from your email address to your credit card details to the name of your first pet for the rest of your life.
It also means that our data must be kept accurate, up-to-date and safe from Ukrainian troll farms. We have a right to object to direct-marketing practices, or to access our data, or ask for it to be erased when organisations have no legitimate reason to hold onto it. It means we have some extra protection from shady practices like profiling by groups working for mysterious overlords.
Perhaps more importantly, if we are the victims of automated decision-making that could have a legal or significant impact on us – say the computer says no to a loan or a job – we have the right to object and request human intervention. And the new regulations mean we may be entitled to compensation for breaches.
Wait! Are you saying we’re looking at a whole new set of compo claims?
That’s possible. After the GDPR comes in, individuals will be able to seek compensation through the courts for breaches of their data-privacy rights – even if they haven’t suffered material damage or financial loss. And yes, future class actions could follow.
So let me get this straight. Unless we give specific consent, no one has the right to hold onto our data?
Not exactly. Consent is one of the permissible grounds for processing data, but it’s not the only one. People may also have given their data as part of a contract of employment, for example.
I heard that if someone has given you their business card, that’s the same as consent for the purposes of GDPR
Eh, not quite. We’re getting very hung up on consent here, but there are other grounds for processing data, including “legitimate interest”. A good rule of thumb, says Mac Kenna, is “the ‘surprise test’. Would the person be surprised that you are reaching out to them for the reason that you are? If I give you my business card at a conference, I am probably not going to be surprised that you are reaching out to me for something related to that.” So that wouldn’t be regarded as a breach. That said, business-card information is personal data. If you take the information on the business card and add it to an organised filing system, for example a customer relationship management system (CRM), then it falls within the scope of GDPR.
Are work email addresses considered personal data?
If they identify the individual then they’re personal data and are subject to the same protections as other data.
Does all of this have anything to do with the row over the age of digital consent I keep hearing about?
You’re quick on the uptake, aren’t you? The GDPR introduces special protections for children’s data, particularly in the context of social media. One of the requirements is the setting of the age of digital consent, which is the age internet firms can gather data from minors. The GDPR allows member sets to choose an age between 13 and 16. This has been a contentious issue for Ireland.
On the one side are those who believe children of 13 are too young to fully understand what they’re consenting to; on the other are those who say setting it at 16 imposes unworkable restrictions on children’s use of services. This week, the Government’s plans to set it at 13 were defeated in the Dáil during a debate on the Data Protection Bill 2018, following calls from the opposition, who wanted us to follow Germany and set it at 16.
So is there going to be a grace period for companies to get their act in order?
What do you think the last two years were? The grace period ends now, I’m afraid.
So what happens to companies that don’t comply?
After May 25th, the Working Party 29, or WP29, the advisory body that’s been guiding development of the regulation, will be replaced by the European Data Protection Board – same people, new brand – who’ll be tasked with keeping an eye on it. Companies found in breach are looking at fines of up to 4 per cent of global turnover or €20 million, whichever is higher.
They can’t slap fines of €20 million on small businesses surely?
In theory, they most certainly can. The fines are designed to be effective, proportionate and dissuasive. “I don’t expect just big multinationals to be made examples of. The Data Commissioner’s attention will be driven by the complaints of individuals, and if it is shown that there are repeated infringements by, say, recruitment businesses, it is likely that the ODPC will pay particular attention to this sector as a whole,” says Alan Mac Kenna.
But I’ve been told organisations with less than 250 employees are exempt, right?
Wrong again. GDPR applies to all businesses. The only difference is that most organisations with fewer than 250 employees do not have the same obligation to keep records on processing activities, or the amount of time they will retain data. But this is not an absolute exclusion – it doesn’t apply where “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data”. In fact, these exclusions mean a lot of organisations with under 250 employees will be effectively treated the same as larger organisations.
What about public-sector organisations – are they exempt?
Not at all. They have broadly the same obligations as every other organisation to ensure data is used and held appropriately, with some additional obligations thrown on for good measure. The guidance is that it may not be appropriate for public authorities to rely upon consent or legitimate interest as a processing ground, but they can process data on the grounds of “public interest”. State bodies are obliged to appoint a data-protection officer, and breaches of the GDPR will be subject to fines – although the maximum fine is likely to be €1 million, which is lower than for private organisations.
Yikes. Is that it with the bad news?
Depends what you mean by “bad news”, but it’s certainly not the last set of regulations coming down the tracks. The ePrivacy regulation will eventually work with GDPR to bring further transparency and controls around how electronic communications with individuals are governed. This is in response to Article 7 of the EU Charter of Fundamental Rights, which says that “everyone has the right to respect for his or her private and family life, home and communications”. For some of us, that sounds like very good news.