What is GDPR
General Data Protection Act is the result of years of efforts by the EU to bring data protection legislation into line with current, previously unforeseen ways the data has been used in the changing times. It has some similarities with UK’s Data Protection Act 1998 (DPA General Data Protection Act is the new legal framework which is going to be implemented in UK from 25th May, 2018 despite UK’s decision to leave EU.
This new regulation will have a more defined norm for the protection of personal data and will have stricter provisions for organizations not complying with regulation. This act is very important for those who have responsibility of day to day data protection.
GDPR is applicable to both ‘controllers’ and ‘processors’. The controllers are the people who says how and why personal data is processed and the processor acts on the controller’s behalf.
What is Personal Data
The explanation of the data that comes under the personal data has become much more relevant now.
‘Personal data’ will refer to any information which will be related to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, with reference to the identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. In legal meaning the term natural person refers to a person who has its own legal personality.
For example, an IP address-can be personal data. An example given by the ICO is, “a combination of data about gender, age, and grade or salary may well enable you to identify a particular employee even without a name or job title.” To check if the individual is identifiable will depend on “all the means likely reasonably to be used either by the controller or by any other person to identify the said person”. So mostly, there will be a need to perform a reasonableness test which will determine if any data or combination of data in a set of circumstances can be classified as personal data.
Talking about one of the most common thing i.e., email address. Email addresses are designed specifically to be processed by computer. And the combination of name and email is an absolutely unique combination globally and therefore an individual can be identified from that data. It is personal data. The fact that it is a work email address, is irrelevant. DPA makes no distinction whether the data is in a work or private context.
Will the opinions which we will record about people will be classified as personal data?
If the opinions recorded are computerized or intended to be computerized or form part of a structured filing system etc. then those opinions may well be personal data. Infact opinions are specifically referred in the guidance issued by the Information Commissioner:
“The definition also specifically includes opinions about the individual, or what is intended for them.
For example, a manager’s assessment about its employee’s performance during its initial probationary period will, if held as data, will be personal data about that individual. Similarly, if a manager notes that an employee must do some sort of training, that note will, if held as data, be personal data.”
Similarly, with reference to ID numbers the ICO writes:
“It is important to note that, where the ability to identify an individual depends partly on the data held and partly on other information (not necessarily data), the data held will still be “personal data”.
For example, an organization is holding data on particular database by name but bear unique reference numbers which can be matched to a card index system to identify the individuals concerned. The information held on the database records is thus personal data.”
Sensitive personal data
Sensitive personal data is a sub category of personal data, sensitive data refers to a more specific type of personal data that should be treated with utmost security to not let it breach.
At present times, it includes the information related to
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade-union membership
- Health or sex life
Sensitive data is given enhanced protection with explicit consent required for its processing. It has been further dived into two types i.e., genetic data and biometric data
Genetic data refers to gene sequences, which are used for medical and research purpose. Whereas biometric data includes fingerprints, retinal and facial recognition.
Certain provisions have also been made for the “controllers” or “processors” breaching the regulation. It’s a two-tiered regime which will be applied. According to provision, breaches of GDPR could lead up to fines of €20 million (£17 million) or 4% of global annual turnover for the preceding financial year, whichever is greater, being levied by a data protection regulator.
For less severe breaches, such as procedural violations, the authorities could impose fines on organizations of up to €10m (£8.5 million) or 2% of global annual turnover, whichever is greater. Administrative fines are not mandatory; they must be imposed on a case by case basis and must be “effective, proportionate and dissuasive”. In the case of a minor violation, or where a fine would impose a disproportionate burden on an organization, a reprimand may be issued instead of a fine.
Why we need GDPR
As we are heading towards a digital economy the security of personal data has become much more important bearing in mind that many giant companies swap access to people’s data for use of their services. The aim of enforcing the reformed legislation is to reduce the exploitation of data and to improve the trust of common people in the emerging digital economy.
Also, it will provide a legal framework which will give businesses a simpler, reformed legal environment in which to operate and how. It will make data protection law identical throughout the single market. This will collectively save €2.3 billion a year for businesses as estimated by EU.
It is important to not see GDPR as a hindering regulation but a step forward to a safer business environment both for the business as well as the consumer.
There are simple and effective ways to implement GDPR in your business and it all starts with a simple consultation inside your business. In future we shall publish another post on how SME organisations can go about implementing GDPR compliance in their business.