It affects any organization that processes personal data about individuals or offers goods or services to them.
Why Does GDPR Matter?
Under the current Data Protection Act, fines for non-compliance can be up to £500,000. The maximum fine under GDPR will be €20 million (£17 million) or 4% of global turnover, whichever is greater.
In addition, they can fine organizations up to €10 million (£8.8 million) or 2% of global turnover for not having their records in order (for example, failing to keep proper employee records).
What Has Changed?
GDPR sets out several key changes that make it easier for businesses and organizations to comply with data protection laws and principles:
The GDPR will replace the Data Protection Act 1998. It applies to all companies processing the personal data of EU citizens, regardless of where the company is based.
GDPR is technology-neutral. This means that it will apply to any business that uses technology, from apps and websites to CCTV systems and databases.
GDPR clarifies that data protection laws apply not just to ‘personal data' but also to ‘special' categories of data, such as genetic or biometric data.
It also clarifies the definition of ‘sensitive personal data’, which can be about criminal offenses or convictions.
For example, names and addresses are likely to be sensitive personal data because they can identify an individual.
Rules Relating to Children Under 16-Year-Old
As well as being more explicit about the definition of sensitive personal data, GDPR has strengthened provisions relating to children under 16 years old, particularly about online services such as social media platforms and online games.
In addition, it sets out stricter rules on consent for processing special categories of personal data or sensitive personal data. These rules include:
- Individuals must give unambiguous consent before organizations can process their sensitive personal information (for example, ticking a box). This includes information relating to criminal convictions and offenses.
- The organization must clarify what the individual is consenting to, for example, whether they are consenting to market materials or an app.
- Individuals must be able to withdraw their consent at any time.
- Wherever possible, the organization should use ‘granular’ opt-in consent mechanisms (for example, asking people to tick a box if they want to receive marketing materials from the organization).
- Where it is not possible to use granular opt-in, then organizations must explain why it is not possible in their privacy notice. For example, they may need to provide an ‘opt-out’ option for those who do not want their data processed for marketing. They must also explain how individuals can withdraw their consent at any time.
Getting Consent from Individuals
The GDPR will introduce more stringent rules on obtaining consent from individuals before processing their personal data. In particular:
- It will clarify that consent must be freely given, specific, informed, and unambiguous. They cannot assume it from silence, pre-ticked boxes, or inactivity.
- It will also require organizations to keep evidence of consent (for example, by asking individuals to sign a form).
The GDPR is likely to have a significant impact on how organizations interact with their customers and business partners.
For example, if an organization has an app that requires location data for the app to work, then it may need to get explicit consent from users before collecting and using this data.
The same would apply if an organization wanted to send marketing materials via email or SMS text messages.
Organizations must get clear consent from individuals before collecting any sensitive personal data or special categories of personal data (such as criminal convictions).
They must also make sure that the individual understands what they are consenting to (for example whether they are agreeing to receive marketing materials).
Transparency about Information Usage
Organisations must provide transparent information about why they need the information and how it will be used. This includes:
- The organizations that might use the data (for example, direct marketing companies or debt collection agencies). The type of processing that will take place (for example, using the data to send marketing materials or to conduct a credit check).
- Individuals must be able to withdraw their consent.
The Right to be 'Forgotten'
The GDPR introduces a ‘right to be forgotten'. This gives individuals the right to have their personal data deleted in certain circumstances, for example, if it is no longer necessary for the purpose it was collected.
The GDPR also clarifies that individuals may ask an organization to transfer their personal data from one service provider to another.
Organizations must have a lawful basis for processing personal data. The most common lawful basis is ‘consent’, but there are other grounds for processing too, such as ‘contract’ and ‘legitimate interests. Organizations will need to make sure they have evidence of consent before collecting and using personal data, such as
- Recording how and when individuals gave consent.
- Where appropriate, keep evidence of consent in an accessible format (for example, by asking people to sign a form).
- Organizations must keep accurate records of all personal data they hold. They must also make sure that the records are easily accessible and readable.
This will help them identify any personal data that they no longer need to process, or that is incorrect.