GDPR Explained By Isabelle Hease

Posted by BPF Futures Advisory Board on 30th May 2018

What is GDPR?

The General Data Protection Regulation (GDPR) is regulation in EU law put in place to strengthen and unify data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).  The regulations represent one of the most important pieces of European legislation to be introduced in recent times as it provides EU citizens with enhanced protection from data breaches and greater control over their privacy, with current regulations governing these issues are now significantly out of date having been established in 1995.  

When did GDPR come into effect?

GDPR was approved and adopted by the EU Parliament in April 2016 however the regulation officially took effect on the 25th May 2018.  

Who does GDPR apply to?

GDPR applies to processing of personal data carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.  

Understanding whether you are processing personal data is critical to understanding whether the GDPR applies to your activities.  

What is personal data?

Under the new regulations ‘Personal data’ means any information relating to an identified or identifiable natural person. Therefore anyone who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.  

Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and may only be processed in more limited circumstances.  

What are the principal regulations surrounding GDPR?

  • Businesses should take all reasonable steps to ensure the personal data held is not incorrect or misleading.
  • Personal data must not be kept for longer than is needed
  • Businesses must be able to justify a purpose for holding the data, and a reason for however long personal data is kept.
  • Data must be adequate – sufficient to properly fulfil a stated purpose;
  • But also relevant – has a rational link to that purpose.
  • Businesses must identify valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data.
  • Businesses must be clear, open and honest with people from the start about how they will use their personal data.
  • Businesses must ensure that they have appropriate security measures in place to protect the personal data they hold.
  • Consent must be given in order to hold and process personal data.

What is Consent?

Consent means offering individuals real choice and control over the use of their data. Explicit consent requires a very clear and specific statement of consent which should be kept separate from other terms and conditions. Consent cannot be a precondition for the provision of a service. Consent must be given on a positive opt-in basis, therefore no pre-ticked boxes can be used to record consent.  

Many businesses are choosing to use double opt-in, where consent is given twice. GDPR does not specify that double opt-in is a requirement however it ensures businesses are as compliant as possible when ensuring adequate consent is given for the storing and handling of personal data.  

What about GDPR in a B2B environment?

The first thing to make clear is that a business email address (i.e. [email protected]) does fall within GDPR. That doesn’t mean, however, that you can’t send an email to an individual’s business email address without prior consent. Direct marketing is recognised as a legitimate interest under GDPR and is deemed a legal basis for processing the data. This effectively means that GDPR defers to the existing Data Protection Act in respect of B2B, with the principal requirements being to identify yourself as the sender and to provide a clear and easy way for the recipient to opt-out.  

Will Brexit impact GDPR?

In summary, no. The UK Government has indicated it will implement an equivalent or alternative legal mechanism after Brexit. Expectation is that legislation will largely follow current GDPR regulations. Importantly GDPR provides a clear baseline against which UK business can seek continued access to the EU digital market after Brexit.  

Contact Us