You will have already heard a lot about the looming General Data Protection Regulation (GDPR). It may sound like a piece of drab new European law, but if you run a membership organisation – or any other business – that retains any sort of personal data records then it’s vital you understand its impact and start preparations immediately.
For the uninitiated, GDPR is a European regulation that will strengthen an individual’s rights over the use of their personal data and simplify the legal environment for businesses that use it by unifying data protection laws across the European Union (EU).
The regulation was adopted by the EU last year and, after a two-year transition period, will become enforceable across all relevant territories from 25 May 2018.
We have read the weighty tome detailing the new legislation so you don’t have to. In this article, we list some of the key points in the legislation that businesses and membership organisations holding personal data should make themselves aware of.
Companies and organisations that fail to adhere to the standards placed upon them or suffer a data breach are liable to be fined by regulators. Maximum fines could be as high as 4 per cent of global annual turnover, or €20 million, whichever is greater.
Controller or processor?
The new GDPR regulation applies to those that act as a ‘controller’ or ‘processor’ of personal data. A controller says how and why personal data is processed, and a processor acts on their behalf to gather, store, adapt and use it.
The processor will be required to maintain records of personal data and processing activities, and could be in serious trouble if a breach occurs. A controller is obliged to ensure contracts with processors comply with GDPR.
What data falls under GDPR?
Two main types of data fall under GDPR: personal data and sensitive personal data.
Personal data is anything that can be used to identify an individual, including an online identifier like an IP address. Personal data that has been pseudonymised also falls within the scope of GDPR, as does automated information and that which is accessible in manual filing systems.
Sensitive personal data is any information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning health or a person’s sex life or sexual orientation.
An individual’s rights
Under GDPR, individuals have the right to access the personal data a company holds on them and the right to have confirmation when a firm is processing their data. These rights allow an individual to establish the lawfulness of the proceedings.
GDPR also gives an individual the right to rectify data that is inaccurate or incomplete, to erase data to comply with their ‘right to be forgotten’, to block processing in some instances, to obtain and reuse data for their own purposes across different services, and to object to processing and direct marketing.
Under GDPR, consent from an individual must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. To establish this, there must be an affirming action, such as ticking a box. It must be a positive opt-in; consent can’t be inferred through non-action or pre-ticked boxes. Consent must also be verifiable.
Data management obligations
When GDPR comes into force, it will bring with it a new accountability principle requiring a business to show its compliance and responsibilities.
A business will also – among other things – need to maintain documentation on its processing, implement measures to ensure data protection is met within the design of systems, and use data protection impact assessments.
A company will have to record the purpose of processing, descriptions of the data held and the categories of data sent to a recipient, and details of transfers to other countries, along with details of organisational technical and security measures.
If a company has more than 250 employees, it will also be required to keep records of higher-risk processing, such as personal data that could result in a risk to the rights and freedoms of individuals, or the processing of special categories of data or criminal convictions and offences.