GDPR – What’s that then?

May 25, 2018 | By | Reply More

GDPR replaces our old UK Data Protection Act 1998 which had got a bit long in the tooth. This new legislation is much more robust about protecting your personal data and forcing companies to be more transparent in telling us what they are collecting, what they are doing with it, who they are sharing it with and how long they are keeping it for. We, the data subjects, get far more rights over our data but I’ll get to that later.

GDPR or, to give it its full title the General Data Protection Regulation (EU) 2016/679, is a funny old beast. It is an EU regulation that was actually passed into law in 2016, so you may be asking why you are only hearing about it now? Well, before you get to the actual laws in the legislation there are a number of what are known as ‘Recitals’ which are in effect notes to make things clearer. Actually, there are 173 of them but recital 171 says there is a two year transitional period before GDPR comes into force. That period ended on the 25th May 2018 which is why you saw a last minute rush for compliance and your inbox was flooded with GDPR messages.

The GDPR laws themselves are grouped into Articles and the first point of Article 1 says ‘This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.’ The important thing here is the ‘natural persons’ bit. So, vampires, zombies, the dead in general, other un-natural people and corporate entities (who are in effect legal people) are not covered. They will have to look elsewhere for legal redress.

Let’s look at a bit which is exempt from GDPR. The first bit of Recital 18 states ‘This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity.’ That’s nice to know as it means your old-fashioned address book that you use once a year for sending Christmas cards is not covered by GDPR!

It’s worth pointing out that this is an EU regulation, so any company who has a presence in an EU country and processes private personal data has to comply with the GDPR requirements. Failure to comply could be rather expensive as the limit for fines has been increased to 20 million of 4% of a company’s turnover, whichever is the greater. The EU has instructed each member country to establish a supervisory authority to impose the fines and enforce the regulations. This particular mantle has been taken on by the Information Commissioners Office (ICO) who previously imposed the UK’s Data Protection Act. GDPR has given the toothless wonder some teeth!

I don’t want this to be a particularly long article so let’s look at what GDPR gives to you the data subject, assuming this is being read by a natural still living person. A company processing personal data must clearly disclose any data collection, declare the lawful basis and purpose for data processing, how long data is being retained and if it is being shared with any third-parties or outside of the EU. This disclosure is supposed to happen at the point of data collection. You can expect to see a lot of data privacy notices when you register on-line for things.

The lawful basis for the processing is probably an article in its own right but it’s worth knowing that there are 6 lawful bases:-

1) you have given your consent,

2) it’s required as part of a contract,

3) there is a legal obligation,

4) to protect the vital interests of someone,

5) in the public interest or an official authority,

6) legitimate interests of the company.

In normal day-to-day activities, most processing will be under 1, 2 and 6. Consent actually gives the data subject the most control over their personal data as you can withdraw your consent at any time. There’s quite a lot of regulations about how consent is to be gained. Generally speaking, under GDPR, the rights of a data subject are:-

1) The right to be informed, you must be told about what data is collected, by whom and what they will do with it.

2) The right of access, you can access what data they hold on you free of charge.

3) The right of rectification, you can them to correct any errors.

4) The right to erasure, you can ask them to delete your information.

5) The right to restrict processing, this right is a bit limited and only available in certain circumstances.

6) The right to data portability and allows data subjects to obtain and reuse their personal data across different services for their own purposes but there are limitations.

7) The right to object is the right to object to direct marketing, processing based on legitimate interest, and purposes of scientific/historical research and statistics.

8) The right to object to automated decision making and profiling with limitations.

Number 8 is interesting as it could limit the opportunities for the computer to say ‘No!’ Fans of the comedy TV programme ‘Little Britain’ will know what I’m talking about. It might have implications for AI development if it was intended for the AI to make decisions that impacted natural people.

Now that GDPR has arrived in the European Union, what other countries will take it up? There is Norway and the UK certainly will as the Data Protection Act 2018 not only writes GDPR into UK law ready for Brexit, it extends it! I would expect that other countries along the EU boarder or who have extensive trade with Europe may well adopt it. While not a country, Microsoft has a turnover greater than some countries GDP and their new deputy general counsel, Julie Brill, announced in a blog, post-Microsoft’s commitment to GDPR compliance.

It’s a funny old world.

Andy Whitaker

May 2018


Category: Computers, MEDIA

About the Author ()

I live in deepest darkest Essex where I enjoy photography, real ales, walking my dog, cooking and a really good book. I own an e-book reader which goes with me everywhere but still enjoy the traditional paper based varieties. My oriental studies have earned me a black belt in Suduko and I'm considered a master in deadly Bonsai (there are very few survivors).

Leave a Reply