GDPR – A Quick Overview

An elephant is due to enter the channel room next year in the form of a new EU directive called the General Data Protection Regulation (GDPR).

Yes, it does sound a bit like a leftover from the 1970s – perhaps an East German Stasi unit they forgot to close down that has come back to bite us.

Some would say that the similarities don’t end there either as GDPR really is a big sledgehammer designed to crack a big nut!

In essence, the GDPR is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.

The primary objectives of the GDPR are to give citizens and residents control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

When the GDPR takes effect, it will replace the EU data protection directive from 1995. The regulation was adopted on 27 April 2016. It applies from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require any enabling legislation to be passed by national governments.

In the UK, the GDPR sweeps away the Data Protection Act (DPA) of 1998 and will apply if the data controller (organisation that collects data from EU residents) or processor (organisation that processes data on behalf of a data controller, e.g. cloud service provider) or the data subject (person) is based in the EU.

Furthermore, the Regulation also applies to organisations based outside the European Union if they collect or process personal data of EU residents.

So, GDPR is for those who have day-to-day responsibility for data protection and will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.

However, it is highly likely that the UK government will, through its proposed new Data Protection Bill planned for introduction when the parliament returns from summer recess this autumn.

There are some areas in which EU countries have the flexibility to set their own rules around data protection, which are expected to be laid out in the new Bill.

With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to individuals.

As you have probably deduced already, the GDPR is chock-full of new definitions that will soon be adopted into our lexicon. Take, for instance, ‘pseudonymised’, a new word for spellcheckers the world over and better understood today by the term encrypted data.

Personal data takes on a new meaning under the GDPR as well, as it becomes anything that can identify a person – this will include online identifiers such as an IP address. This reflects changes in technology and the way organisations today collect information about people.

That means that the GDPR will affect artificial intelligence (AI) and machine learning too as tools such as algorithms let loose on collected data, including genetic and biometric information, cannot be used to profile identified individuals. Government criminal and security operations will, however, be excluded from certain elements of the directive.

And, just like the old East German Stasi, you cannot ignore the GDPR. Sanctions for non-compliance are massive – a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in the case of an enterprise, whichever is greater.