The GDPR is the new EU-wide data privacy law – the General Data Protection Regulation. The GDPR replaces and updates much of the Data Protection Act 1998 with more stringent rules in many areas.

The UK is leaving the EU, does Brexit impact the GDPR?

The GDPR comes into force before the UK leaves the EU so it will be law from 25th May 2018. The UK Government has made no proposal to repeal it, in fact the EU Withdrawal Bill now passing through parliament will codify the entire body of EU law into UK law, including the GDPR, before March 2019.

Not retaining the GDPR post-Brexit would significantly and negatively impact UK businesses, as organisations based in the remaining EU countries would encounter higher barriers to transferring data to the UK. The UK government and UK-based businesses clearly do not wish this to happen, so the GDPR, or rules very similar to the GDPR, are very likely to remain in force in the UK indefinitely.

Will there be a grace period for implementing the GDPR?

No. As of 25th May 2018 the GDPR will come into force and all impacted organisations are expected to be compliant. If you are not compliant with the directive in your use of personal data you will be liable to fines, censure or other sanctions by the regulator (the UK Information Commissioner) or litigation by individuals or public interest groups.

Does the GDPR apply to my specific business or organisation?

The GDPR applies to any type of business or organisation (see list below) which processes personal data relating to living individuals and is

A) Established in the EU (which includes the UK)
B) Established outside the EU but offers goods or services to individuals in the EU, eg sells to UK customers from a base in the USA or the Channel Islands
C) Established outside the EU and tracks the behaviour of individuals in the EU, eg using cookies or location-based data from mobile phone apps.

All types of organisation are in scope:

  • no minimum size to organisation
  • companies (Ltd, Plc)
  • sole traders
  • partnerships (General, LLP etc)
  • charities
  • not-for-profit organisations
  • religious organisations
  • clubs
  • NGOs
  • public sector organisations
  • unions
  • branches of overseas organisations
  • etc.

The only exemptions are:

  • Household activity, eg address books and private social media posts to your contacts
  • Law Enforcement Activities, which are regulated by the Law Enforcement Data Protection Directive

I’m just a one-person company, surely the GDPR can’t apply to me?

Unfortunately it does. There are no size limits under the GDPR. If you process personal data, eg of customers, it applies to you.

The GDPR definition of ‘personal data’ is very broad – it is different from and broader even than the similar US term ‘personally identifiable information’ or PII.

Basically, anything that relates to an individual is in scope. This includes any piece of data which, on its own or in combination with any other piece of data, whether in your possession or not, could identify a living individual.

This means not just name, address, social security number, bank account details and credit card numbers, but also includes mobile device IMEI numbers, IP addresses, browser or device fingerprints, images, biometric information, location data and so on – these are only a few examples.

There are particular rules around the processing of ‘sensitive data’, also known as ‘special categories of personal data’. This includes factors such as ethnicity, religious or other beliefs, biometric data of any kind and health data. If you process this data inappropriately the sanctions are severe.

The UK regulator is taking a tough line.

The regulation is effective directly into UK law, so there is limited wiggle-room. Many contentious issues have been discussed and opined upon by the EU data privacy regulator’s group, the Article 29 Working Party, which the UK Information Commissioner attends and contributes to, and which is being replaced by the European Data Protection Board (EDPB).

Any watering down by the UK Regulator would likely be challenged by the EDPB and the European Courts where the final determination will be made. This route is likely to persist post-Brexit, so overall, there’s not much scope or appetite for watering down.

I only have business customers, not personal customers, does the GDPR apply to me?

Very likely yes.

  • If any of your customers are sole traders, partnerships (outside Scotland) or unincorporated associations, then you have
    personal customers.
  • If you have employees, their data is in scope.
  • If you track visitors to your website in an identifiable way, that tracking data is in scope.
  • If you process data for other companies on a IaaS, PaaS or SaaS basis, eg providing cloud services or web hosting,
    those operations are in scope.
  • If you direct market to individuals at organisations, eg emailing name@company.com, you are in scope.

Call us to discuss how the GDPR impacts your business.

My company hosts/processes data for other businesses, aren’t they the ones who need to be compliant with the GDPR?

You need to be compliant too.

The GDPR imposes new obligations on data processors, including updated contracts between your customer (the data controller) and your business (either a processor, independent controller or joint controller), and requirements around data breach notification.

Similarly, if you sub-contract any of your processing to other parties, such as Amazon Cloud Services or specialist service providers, you need to ensure those contracts are also compliant. If your processors are located outside the EU, even more stringent regulations may apply.

It’s good business to show your customers you are being proactive and take your responsibilities to protect their data seriously. It’s also an opportunity to differentiate yourself from your competitors – before they do it first.

We have a dedicated contract compliance review service which can review your supplier contracts, highlight deficiencies and propose changes to become compliant. We can also provide you with back-up to your negotiations if required.

I’m not used to having to comply with regulations, isn’t that just for banks?

The GDPR applies to every type of organisation.

Your company already complies with some types of regulations: VAT rules or PAYE rules, for instance, and your accountant helps with these. If you have premises, you have Health & Safety regulations. If you have employees you have HR procedures and an employee handbook.

We can partner with you to right-size your response to the GDPR and help you get compliant in the most efficient way by addressing the highest risks first.

I’ve heard GDPR fines can be enormous – what’s the damage?

The Regulator can levy fines up to 4% of global turnover (not profits) or €20 million, whichever is the higher. This is significantly higher than the previous £500,000 maximum fine under the Data Protection Act.

The maximum fine won’t always be levied, but together with the reputational and brand damage it could seriously harm a business.

Should the worst happen and you have a data breach or break the regulations, even when you’ve done your best, the Regulator will take into account the action you’ve taken relative to the circumstances of the infringement when assessing what sanction to apply.

Is it true that PPI-style claims management companies are looking for more victims from GDPR?

Yes. PPI winds down in 2019. Claims management companies are already looking for their next revenue stream and see the GDPR as an opportunity, because it introduces new rights of the individual. Infringement penalties are no longer limited to just an administrative fine from the regulator.

If you infringe the new rights, the individual (or thousands of individuals gathered into a class action by a claims management company) can sue your company for damages. A single batch of unsolicited marketing emails could open you up to mass litigation.

No, but the rules limit the direct marketing you can do. If you direct market to individuals on the basis of consent, for example by using marketing preferences, you need to refresh these to be GDPR-compliant before 25th May 2018 or you may not legally be able to contact those individuals after that date.

My peers don’t seem to have done anything about the GDPR, why should I worry?

Three good reasons why you should take action to become GDPR-compliant:

  1. ‘Everyone else is doing it’ was no defence against PPI claims, which has cost the banking industry billions in fines, compensation and costs of administering claims, not to mention brand damage and the opportunity cost of wasted management time. How would your ability to manage your organisation be impacted if a stream of claims began?
  2. Don’t be an obvious target: if you are patently not compliant you will be a target of claims management companies and unscrupulous individuals making a living out of making bogus claims. Get ahead of your peers and stay off everyone’s radar. Consider the burglar alarm effect: if one house has an alarm and the house next door doesn’t, which one gets burgled?
  3. It’s good business: Reputable organisations are taking steps to show their customers and employees that they take data privacy seriously. Individuals will get used to the pattern of privacy notices, consent wordings, requests for approval and so on. When they find a website or business that doesn’t comply, it won’t feel right. Don’t lose their trust: show you care and get compliant to maintain and build trust and loyalty in your brand.
  4. Also, you don’t know what your peers are actually doing. Maybe they are doing the background work and haven’t yet released their changes.

Will you be ahead of the herd or the lame wildebeest stalked by lions?

I’ve missed the GDPR deadline, what should I do?

# 1. Don’t ignore it. This is akin to throwing that red invoice reminder in the bin. It will come back and bite you if you don’t deal with it.

# 2. Call us now to discuss your needs and how to assess the impact on your business.

# 3. Take risk-based decisions to address the highest risks to individuals data before the deadline and the lower risks over the coming months.

If you can’t devote the necessary resources, you will carry compliance risk until such time as remaining risks are eliminated. To show you have a committed plan which addresses the highest risks to individuals’ data first and other risks in a planned programme will provide some mitigation. Consider: if the regulator comes knocking would you rather show you’ve got a plan or no plan?

Yes, if:

  • Your organisation is a public authority; or
  • Your business includes regular and systematic monitoring of individuals on a large scale, eg tracking users of a website or providing services that track users’ locations; or
  • Your business consists of processing special categories of personal data on a large scale.

Any organisation may also decide to appoint a DPO voluntarily to show best practice in data privacy.

The Article 29 Working Party has provided guidance on key terms:

‘Core Activities’ form an inextricable part of the controller’s or processor’s activity. This excludes supporting activities such as payroll or IT support, which are ancillary functions; anything that inputs to the business activity would be a core activity.

‘Large Scale’ – self-assessment by the organisation should take into account:

  1. the number of data subjects concerned
  2. the volume of data or range of data items
  3. the duration of the processing and
  4. the geographical extent of the processing.

‘Regular and Systematic Monitoring’ includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising.

‘Regular’ monitoring means ongoing/occurring at particular intervals for a particular period; recurring or repeated at fixed times or constantly or periodically taking place.

‘Systematic’ means occurring according to a system; pre-arranged, organised or methodical; taking place as part of a general plan for data collection; or carried out as part of a strategy.

For example: a large retail website may use algorithms to monitor the searches and purchases of its users. The website offers recommendations to its users based on the algorithm. This takes place continuously and according to predefined criteria, therefore it can be considered as regular and systematic monitoring of data subjects on a large scale.

If you are unsure, call us to discuss your business practices.

We offer a contracted out DPO service to organisations which do not have the resources or skills to support this role full-time or internally.

What about local legislation? The Data Protection Act 1998 was a UK law.

The Data Protection Act implemented the GDPRs predecessor, the Data Protection Directive. Directives must be implemented into UK law by an act of parliament.

The GDPR is a regulation, which means it is directly effective in UK law without act of parliament. The UK’s new Data Protection Bill enacts the Law Enforcement Data Protection Directive, which governs data protection by police, prosecution authorities, courts and offender support services (which are exempt from the GDPR), and also the UK’s implementation of a minimal number of items left to national discretion by the GDPR. Contrary to the Government’s spin, it doesn’t bring in all the protections of the GDPR – the Regulation will apply even without the Bill.