GDPR Explained By Isabelle Hease
Posted by BPF Futures Advisory Board on 30th May 2018
What is GDPR?
The General Data Protection Regulation (GDPR) is regulation in EU law put
in place to strengthen and unify data protection and privacy for all
individuals within the European Union (EU) and the European Economic Area
(EEA). The regulations represent one of the most important pieces
of European legislation to be introduced in recent times as it provides
EU citizens with enhanced protection from data breaches and greater
control over their privacy, with current regulations governing these
issues are now significantly out of date having been established in 1995.
When did GDPR
come into effect?
GDPR was approved and adopted by the EU Parliament in April 2016 however
the regulation officially took effect on the 25th May 2018.
Who does GDPR
GDPR applies to processing of personal data carried out by organisations
operating within the EU. It also applies to organisations outside the EU
that offer goods or services to individuals in the EU. GDPR does not
apply to certain activities including processing covered by the Law
Enforcement Directive, processing for national security purposes and processing
carried out by individuals purely for personal/household activities.
Understanding whether you are processing personal data is critical to
understanding whether the GDPR applies to your activities.
What is personal
Under the new regulations ‘Personal data’ means any information relating
to an identified or identifiable natural person. Therefore anyone who can
be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location number, an
online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of
that natural person.
Personal data may also include special categories of personal data or
criminal conviction and offences data. These are considered to be more
sensitive and may only be processed in more limited circumstances.
What are the
principal regulations surrounding GDPR?
- Businesses should take all reasonable steps to
ensure the personal data held is not incorrect or misleading.
- Personal data must not be kept for longer than is
- Businesses must be able to justify a purpose
for holding the data, and a reason for however long personal data is
- Data must be adequate – sufficient to properly
fulfil a stated purpose;
- But also relevant – has a rational link to that
- Businesses must identify valid grounds under the
GDPR (known as a ‘lawful basis’) for collecting and using personal
- Businesses must be clear, open and honest with
people from the start about how they will use their personal data.
- Businesses must ensure that they have appropriate
security measures in place to protect the personal data they hold.
- Consent must be given in order to hold and
process personal data.
What is Consent?
Consent means offering individuals real choice and control over the use
of their data. Explicit consent requires a very clear and specific
statement of consent which should be kept separate from other terms and
conditions. Consent cannot be a precondition for the provision of a
service. Consent must be given on a positive opt-in basis, therefore no
pre-ticked boxes can be used to record consent.
Many businesses are choosing to use double opt-in, where consent is given
twice. GDPR does not specify that double opt-in is a requirement however
it ensures businesses are as compliant as possible when ensuring adequate
consent is given for the storing and handling of personal data.
What about GDPR
in a B2B environment?
The first thing to make clear is that a business email address (i.e. [email protected])
does fall within GDPR. That doesn’t mean, however, that you can’t send an
email to an individual’s business email address without prior
consent. Direct marketing is recognised as a legitimate
interest under GDPR and is deemed a legal basis for processing the
data. This effectively means that GDPR defers to the existing Data
Protection Act in respect of B2B, with the principal requirements being
to identify yourself as the sender and to provide a clear and easy way
for the recipient to opt-out.
In summary, no. The UK Government has indicated it will implement an
equivalent or alternative legal mechanism after Brexit. Expectation is
that legislation will largely follow current GDPR regulations.
Importantly GDPR provides a clear baseline against which UK business can
seek continued access to the EU digital market after Brexit.