The concern for data privacy is growing day by day. Just last week, on 28th January, the world celebrated the 13th Data Privacy Day. People everywhere are taking steps to ensure the maximisation of data security. The introduction of GDPR guidelines less than two years ago, on 25 May 2018, was an important step in the right direction.
We have prepared a detailed guide on key principles of GDPR so that people (both consumers and producers) with little or no legal knowledge know exactly what the implementation of the GDPR means for the security of personal data.
In addition to talking about GDPR basics, we will also touch upon topics such as how businesses are affected by the introduction of the GDPR and how they can apply it to their everyday business practices, as well as the rights that are now granted to their clients.
Let’s start with an introduction to the revolutionary GDPR legislation.
What Is GDPR?
The first question that pops up in the mind of a common person is, “What does GDPR stand for?”
Here’s a short answer: GDPR is an acronym for ‘General Data Protection Regulation.’
For those who are now even more confused than before, we have a more thorough explanation coming right up!
GDPR Explained to the Layperson
Here is how we would explain the concept of GDPR to amateurs:
Under this law, companies must make sure that their clients’ personal data is protected. Otherwise, they may be forced to pay fines amounting to millions of pounds.
But what does ‘personal data’ mean? And how exactly is it to be ‘protected’?
Personal data refers to information that can be used to identify a living person. It could refer to any information about yourself that you would not want random strangers to know about. Personal data includes, but is not restricted to, a person’s
- Date of birth
- Any kind of identification number
- Address or other location data
- IP address
- Contact number
- E-mail address
- Bank account details
- Education and employment records
- Physical appearance
- Vehicle registration plate number.
A person’s race, ethnicity, gender, sexual orientation, religious and political views, medical/health data, and various other attributes qualify as highly sensitive personal data.
One important thing to note when it comes to defining personal data is the context in which it has been collected or is being used. If the data can be used to identify an individual, it will be referred to as personal data.
Here is an example of how context affects the principles of GDPR:
When you google the name Emma, you get nearly a billion results. There could be hundreds or thousands – maybe even millions! – of Emmas all around the world. Let’s say you are looking for an Emma Smith. Now you will get over 200 million search results. That’s still not very useful, is it? However, if you knew Emma Smith’s phone number, address, or other information that could help you narrow down the results you got, it would mean you are using her personal data to identify her.
If there are bits and pieces of information which, combined, may enable anyone to identify a person, then that information will fall under the label of personal data.
The protection of personal data refers to the responsible handling and secure storage of data. There are restrictions about how and with whom the data can be shared. These tasks seem very simple but may actually be quite challenging to achieve in practice. We will touch upon this topic further ahead in our discussion of GDPR compliance.
Who Does GDPR Apply To?
Although the General Data Protection Regulation was passed by the European Union, its terms are such that businesses all over the world are forced to ensure that their practices are in line with this regulation.
There are two main conditions for the law to apply to your business:
- You are a business that operates in a region that falls within the European Union.
- You are a business that has customers who are citizens of a region that falls within the European Union.
If you fall within either (or both!) of these categories, then any kind of violation of the terms of the GDPR is sure to land you in trouble.
The European Union is a sort of economic coalition between 27 countries. The member countries are considered part of a “single market” or “internal market” which allows various trade benefits. As part of our handbook on the rudimentary principles of GDPR, we have compiled a list of countries that are part of the European Union:
The UK used to be part of the EU up until 31 January 2020. However, its dissociation from the EU (Brexit) will not have any immediate effect on its status in the single market until the transition/implementation period is over (tentatively 31 December 2020).
Besides the EU, you also need to take the following three countries into account. These countries are part of the European Economic Area (EEA) and European Free Trade Association (EFTA), and practise the implementation of the GDPR, just like members of the EU:
Another exception is Switzerland, which belongs to neither the EU nor the EEA. Regardless, it is part of the single market as it is part of the EFTA.
When Does GDPR Take Effect?
Since many of you may not already be aware, our GDPR instruction manual has the answer to this question too.
After a lot of deliberation and discussion around this issue, the General Data Protection Regulation finally came into effect in May 2018. A notice period of two years was given so that businesses could gradually adapt to the new legislation and adjust their operations accordingly.
On 25 May 2018, the implementation of the GDPR became mandatory within all member states of the European Union and EFTA. The UK, with its trade status unaffected by Brexit so far, is still under the obligation to comply with the GDPR. The UK has plans of implementing new legislation much like the GDPR once the transition period ends.
What Is GDPR Compliance?
GDPR compliance refers to the act of ensuring that your business practices and operations align with the regulations that the GDPR instructs businesses to follow.
Before we tell you how to become a GDPR-compliant organisation, you need to know what rules and conditions are laid out in this legislation.
GDPR Terms and Conditions
While we cannot list down all the terms listed down under the GDPR, we will highlight some of the most important ones for you.
There are seven key GDPR principles:
Since this is a thorough guide to the principles of GDPR for the layperson, we’re not going to leave you on your own, dazed and confused. We will talk about what each of these principles really means.
1. Lawfulness, Fairness, and Transparency
You must process data in a way that it does not break any laws or rules. You cannot hide the purpose of data collection from the people you collect data from. You also have to be clear and honest with them and use simple language when communicating with them. The processing of data should also not result in any negative consequences for the client.
2. Purpose Limitation
The purpose of data collection should be clearly communicated to your clients. You cannot use the data for any other purpose if you have not taken the client’s consent for it beforehand. However, if you wish to use their data in future for the purpose of a greater good (e.g. for the progress or betterment of the general public, or for scientific research), then you may be allowed to do so.
3. Data Minimisation
You cannot collect unnecessary data that is not relevant to the purpose of collection. You are only allowed to collect data that is relevant and will be useful to your operations. So before you start going around collecting information, figure out exactly what you need (yes, need, not want!). There should also be periodic reviews so that you can delete unnecessary or irrelevant data after a certain amount of time.
The data that you collect and store needs to be 100% correct. And don’t forget: Your clients also have the right to make amendments to inaccurate or incomplete personal information. In case of any changes, you need to update your existing records right away.
5. Storage Limitation
You cannot store data forever. You need to define the time period for which you will be storing it. Once that time has passed, you will be legally obligated to delete the information. If you have forwarded the data to a third-party (with the clients’ consent, of course!), then you will have to ensure that they also delete it at their end.
6. Integrity and Confidentiality (Security)
This is one of the most important GDPR rules. Technological progress has also brought along increased cybersecurity risks. Then there is the threat of physical damage or destruction. All the data that you store in digital format on high-end servers needs to be protected, for which you can use various types of encryption. In case of data loss or failure to keep client data safe, get ready to pay some heavy fines! You will also have to inform everyone affected by the data breach. As soon as you yourself find out about the incident, you will have 72 hours to make the information public.
To prove that you are meeting all the requirements set forth by the GDPR, you need to properly document the data collection and processing.
How to Be GDPR-Compliant
So far in our guide to the principles of GDPR, we have talked about how you can identify personal data and what principles the GDPR focuses on. Now comes the part where we talk about how you, as a business, handle data.
To make sure that you, as a business, do not violate the terms of the GDPR, there are some measures you must take. Following these crucial rules and regulations will lead your business to become ‘GDPR-compliant’.
Here are some easy steps you can take to achieve GDPR compliance:
- Be honest with your clients and establish a relationship of trust with them. Keep it simple. Don’t overburden them with unnecessary, complex terminology.
- Consult a Data Protection Officer (DPO) who can explain all the legal jargon to you and ensure that you are following all the rules.
- Don’t collect more data than you need, or it will be difficult to manage and become a problem for you.
- Anti-hacking measures must be taken! Encrypt stored data. Make sure that your clients can’t be identified in case of a data leak.
- Take special steps for security if you are dealing with super-sensitive information.
- Be careful when collecting data from or related to children. Age is more than just a number!
- Document everything!
What Does the Inception of the GDPR Mean for YOU?
Considering this is a guide for people with limited technical expertise, here’s a situation:
Ever submitted your information by mistake because you forgot to uncheck a box on some website’s consent form? Businesses can’t do that on their websites and apps now!
As an internet user or an organisation’s client, you are entitled to hold businesses responsible for any malpractice (shady business) concerning your data.
Under the GDPR, you have the following powers:
- The right to be informed: You can ask businesses to explicitly tell you
- What information they wish to collect from you
- Why they want to collect said information
- For how long they will store the information
- Who they will be sharing it with
- The right of access: Businesses are obligated to give you (often for free) a copy of the data that they have on you if you request it. You can do that in two ways: verbally or in writing. They are obligated to get back to you within one month.
- The right to rectification: You can have corrections made if any of your information has been wrongly recorded.
- The right to erasure: In certain circumstances, e.g. if the organisation is using your data for purposes which you never consented to, you can get your information deleted from the organisation’s records.
- The right to restrict processing: In some cases, you can let organisations store your data but tell them not to use it for further processing.
- The right to data portability: You can ask organisations to give you a copy of your data in a format of your choice so that you can use it for personal use.
- The right to object: One important point here is that you can stop organisations from processing all or part of your data for direct marketing purposes such as e-mail or phone ads.
A Quick Summary of GDPR Principles
This brings our GDPR guide write-up to an end.
It is undoubtedly a blessing for clients. Your data is much more secure and safer than ever before because businesses now take special precautions for data storage. You also have a lot more power – you can take action in case something goes wrong or you want to take back a decision.
As a businessperson, however, you might be thinking of the GDPR as a burden. You couldn’t be more wrong! It is actually a blessing in disguise. With the introduction of this regulation, every business knows exactly what rules they need to follow and what consequences they will face in case of a mishap. This leads to a higher level of care being taken. If you follow all the rules properly, your clients will also willingly trust you with their information. Data transfer is also more straightforward now due to these standard data protection rules that are now in place.
All parties are now on the same page.
Legal lingo is hard to understand, so we tried to keep it as simple as we could. However, if there is anything you are confused about, drop us a comment or email and we will be happy to help you out!