As 28 May comes closer, it’s time for organisations to get up to speed with the General Data Protection Regulation (GDPR). To put it simply, the new regulation extends the protection given to the privacy of individuals and their personal data. This puts more obligations on organisations that process personal data.
The data protection compliance environment is changing and it’s important that organisations and the individuals that work within them understand the regulation’s new terminology. It is only by embedding such an understanding within the company culture that organisations can hope to comply with the GDPR.
To make your compliance journey that little bit easier, we’ve collated some of the changes in the regulation’s terminology and provided you with a breakdown to give you the best possible understanding.
Principles of the Data Protection Act vs. Principles of the GDPR
The Data Protection Act (DPA) has eight principles whereas the GDPR has seven principles. The principles seek to achieve largely the same objectives, with a couple of notable additions under the GDPR:
Personal data always had to be processed fairly and lawfully. Under the GDPR it also has to be processed, “in a transparent manner in relation to the data subject”. In practical terms, this means that privacy policies will have to be much clearer and easier to understand and that the use of ‘just in time notices’ will become more widespread. These are typically pop up messages that inform individuals at the point they are providing personal data to a controller.
A controller of personal data must be “able to demonstrate” compliance with the GDPR. This means that record keeping will be much more important. Organisations will need to be able to show:
- when staff training took place
- when third-party processors were audited
- what information individuals had before they chose to consent to the processing of their personal data.
How does the GDPR protect more data?
The regulation makes it clear that it can apply to organisations outside the European Union. Those companies need to ensure that they deal with the GDPR. They may not be worried about fines issued by regulatory authorities outside their own country, but they should be worried about its impact on their business. Non-compliance within the EU means bad publicity for these companies.
The GDPR extends the definition of ‘personal data’. For example, the GDPR makes it explicit that ‘online identifiers’ may make an individual identifiable and, therefore, any information related to that individual will be ‘personal data’. This is of particular importance to the online advertising industry and its use of tracking IDs. This is because the obligations of the GDPR potentially extend to such identifiers.
The impact of the GDPR on product design
‘Privacy by design’
This concept has always been implicit within the DPA and the ICO has been keen enough upon the concept to issue a guidance note on the topic (1). It is now explicit in Article 25 of the GDPR. This requires controllers of data to implement “appropriate technical and organisational measures” such as ‘data minimisation’ and ‘pseudonymisation’ when processing personal data.
Controllers should only use such personal data as is necessary to provide the product or service it is required for. If it is not necessary then do not use it. For example, if an organisation collects location data for the purpose of establishing where its customers live, once it has such information and has aggregated it, keeping it is no longer necessary and so the information should be deleted.
This is “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”. It does not take such data outside the scope of ‘personal data’, but it offers a degree of protection to that personal data.
‘Sensitive data’ vs. ‘Special Categories of information’. What’s the difference?
Both the DPA and the GDPR afford special protection to certain categories of personal information. The DPA called these ‘sensitive data’. The GDPR calls them ‘special categories of information’. They cover much of the same ground eg. trade union membership and health, but there are differences in the definitions.
The GDPR specifically adds ‘sexual orientation’ rather than just information relating to an individual’s ‘sex life’. The DPA includes information related to criminal offences which is missing from the GDPR.
Significantly, as a response to advances in science over the last 20 years, the GDPR specifically includes, ‘genetic data’ and ‘biometric data’.
The most important difference between ‘sensitive data’ under the DPA and ‘special categories of information’ under the GDPR is that under the DPA processing of ‘sensitive data’ is allowed, subject to it being fair and lawful. Under the GDPR, the processing of ‘special categories of information’ is prohibited unless the processing falls within an exemption such as the individual has given ‘explicit consent’.
If you would like to see a comprehensive, simple and easy to use solution to help organisations deal with the GDPR, watch the short video about The Privacy Compliance Hub – it tells you what to do, how to do it, who should do it and when. Or, if you would like to talk about any of the issues raised by this article, please feel free to drop us a line at firstname.lastname@example.org.