The GDPR – General Data Protection Regulation is the new legal framework that came into effect on the 25th of May 2018 in the European Union (EU). EU Regulations have direct effect in all EU Member States, meaning the GDPR takes precedence over any national laws.
The GDPR’s focus is the protection of personal data, i.e. data about individuals. It affects not just companies but any individual, corporation, public authority, agency or other body that processes the personal data of individuals who are based in the EU. It includes your customers, employees, suppliers and any other individual you collect personal data from. Personal data includes names, contacts, medical information, credit card or bank account details and more.
GDPR gives control of personal data back to the people who own it, and it requires organisations to make data protection a core part of their operations and processes.
The GDPR has broad ranging implications for most departments within many businesses worldwide. Most businesses within the EU/UK or dealing with EU or UK entities will need to put in place additional practices and safeguards.
With the prospect of incurring fines of up to 4% of annual global turnover or 20 million Euros, whichever is the greater, knowledge of GDPR should be considered a business requirement.
The GDPR can also result in civil liability. Any person who has suffered damage as a result of a breach of the GDPR has the right to receive compensation from the data controller or the data processor.
GDPR Guiding Principles
The GDPR is founded on three basic sets of rules relating to personal data. In simple terms these can be outlined as follows:
Data Protection Principles
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the individual concerned. It must be collected or specified, explicit and legitimate purposes and not further processed in a way incompatible with this. Personal data collected must be adequate, relevant and limited to what’s necessary. It must be accurate and kept up to date, and every reasonable step must be taken to ensure that personal data that’s inaccurate is erased or rectified without delay. It must be stored in a way that identifies the individual for only so long as it’s needed, and it must be processed in a way that ensures appropriate security—including protection against loss, destruction, or damage, and unauthorised or unlawful access.
Processing of personal data is only lawful if at least one of the following applies: the individual has given consent for one or more specific purposes; it’s necessary for a contract to which the individual is a party, or will soon be; a legal obligation must be complied with (e.g. submission of tax records by a business); there’s a task that’s in the public interest or is carried out in the interest of official authority; it’s necessary for legitimate interests (or those of a third party) except where overridden by the interests, fundamental rights and freedoms of the individual.
The GDPR continues the general prohibition on sending personal data outside the European Economic Area to a country that does not provide adequate protection. At the time of writing, the countries deemed by the European Commission to provide “adequate” protection are: US companies that self-certify to the European Union US Privacy Shield arrangement (note: this does not mean the US as a country is considered to provide adequate protection), Andorra, Argentina, Canada (limited to PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay. Where no adequacy decision exists, transfers can only be made in limited circumstances, including on the basis of consent, the use of standard contractual clauses published by the European Commission or, in the case of inter-company transfers, the use of Binding Corporate Rules
EU GDPR Organisation GDPR Overview & Regulation
Information Commissioners Office (ICO) – UK Guide to GDPR
Information Commissioners Office (ICO) – UK Self-Assessment for SMEs
International Association of Privacy Professionals (IAPP) Top 10 Operational Responses to GDPR
NZ Law Society GDPR Compliance in 4 Steps
Office of the Australian Information Commission (OAIC) Australian Data Breach Process
NZ Privacy Commissioner NZ Data Breach Guidelines
Last Updated 1 May 2018