January 29, 2018, by Richard Hyde
The GDPR is coming!
Data is valuable. It can be used in a variety of ways that can immeasurably enhance the services provided by business and the experience of consumers. But the law that governs collection and use of data is old. It was drafted in the 1990’s, when many of the ways that we now process data were not in the mind of the drafters. Therefore, the regulatory regime needs updating, and the EU has adopted the General Data Protection Regulation (‘GDPR’) to bring the regulatory regime to a state which is able to deal with current practice in fields like machine learning, and to ensure that consumers are aware of the uses to which their data will be put and are able to control these uses. The updated rules will come into force from 25th May 2018. Businesses need to ensure that they are ready for the changes in order that they can comply with the requirements. In a series of posts I will examine the ways that the GDPR will change things for both businesses and consumers
Before considering the regime it is necessary to consider the boundaries of the regulation. It applies to the processing of personal data. Personal data is information which relates “to an identified or identifiable natural person.” Identification may be direct or indirect. Processing is a long list of operations that can be performed on that data, including the “collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” of data. A simple example of processing is asking for an individual’s name and postal address, storing that information (usually on a database) and then retrieving and using that postal address to send a Christmas card or marketing information. Similarly, collecting data about an individual from their social media profile, and using this to ensure that the advertisements on the platform are targeted at individuals likely to purchase the goods or services advertised would amount to processing of personal data.
The new rules affect every business and consumer in the EU. Businesses will be data controllers, as they will be responsible for determining the “purposes and means of the processing of personal data.” Therefore, all business need to be revisiting their data collection, storage and use in the light of the new regulations. This can seem like a daunting task, particularly when confronted with the massive (and not easy to understand) piece of legislation that is linked to above. Fortunately, there are plenty of resources available for those people who have the responsibility for undertaking this process.
The best place to start is with the Information Commissioners Office. The ICO is the data regulator in the UK, and has an important role in helping businesses understand their responsibilities. The most useful document for a business beginning to grapple with GDPR is 12 steps to take now. It provides a series of actions that a business should take in order to prepare for the 25th May. Two important steps could be prioritised. First, businesses should undertake an exercise that allows them to understand the information that they hold and why. This might be an easy exercise if all data is held in one place. However, this is unlikely to be the case, and it may require communication with a number of different actors within the business to draw up a comprehensive list. Second, a business should designate a Data Protection Officer. This will be the person who has responsibility for Data Protection compliance throughout the business. Once that person is identified, the other steps can be undertaken by them. In the next of this series of blog posts we will examine the need for updating privacy notices, which requires businesses to identify the information they hold and the lawful basis for doing so.