Do They Mean Me? GDPR – Overview and The Basics

In a series of articles, I’ll cover GDPR and what it means to your business – the basics, responsibilities, requirements, rights of data subjects, data breaches and how to go about compliance.

In this article, I’ll provide an overview of GDPR and explain the basics of the regulation. If your business holds data of any type on EU citizens then you need to read this. Potential penalties for not complying with the regulation are designed to be painful – 4% of global turnover or €20million whichever is the greater. Now that’s painful! So don’t get caught out being careless with an email address. It’s important.

GDPR Overview

GDPR is a regulation adopted on the 14th April 2016 by the EU parliament. It stands for General Data Protection Regulation. Businesses had 2 years to comply. The regulation will be enforceable from 25th May 2018 by the European Union. It replaces the 1995 European data protection law. This law was adequate for technology as it stood in 1995 but since that time speedy advancements in technology have meant it’s no longer adequate. That’s where GDPR steps in as a complete overhaul of privacy law.

GDPR contains 99 articles all covering the basic data privacy of all EU citizens. The regulation requires businesses to protect the personal data and privacy of EU citizens. There has been an unprecedented growth in data breaches. In 2017, there were over 1200 breaches impacting 172 million records. These were reported breaches, how many went unreported you may wonder.


If you are struggling with GDPR Compliance and don’t know where to start Buzz Web Design & Consultancy has put together a helpful pack to get you started on the road to compliance by 25th May 2018 – GDPR Compliance Pack 


GDPR has 3 primary objectives:

  • Control – each citizen must opt-in and provide consent to how their data is used and processed. A citizen can revoke that consent at any time and have a right to be forgotten.
  • Trust – the regulation wants to encourage confidence in citizens about safety and care of data.
  • Simplicity – rules and legislation to data has been fragmented to date and led many businesses to be ignorant of the application of those rules. The hope of GDPR is that ambiguity is removed and obligations are clear around the control and processing of data.

Scope – do they mean me?

In terms of scope, every organisation doing business with the EU is in scope, no matter their size of industry or where in the world they are.

Any personal data collected, analysed or stored is in scope. As well as the systems (automated or manual) that process that personal data. Personal data is any data that can be used to identify you as a natural person. So a name and location. IP address or web browser cookies because they can indicate who you are and location. Further examples of personal data, but not exhaustive:

  • social security numbers
  • names
  • physical addresses
  • email addresses
  • IP addresses
  • behavioural data
  • location data
  • financial information

Another aspect is that data on its own may not identify a name or location but when that data set is combined with another data set it can be.

What does compliance mean?

Compliance means having the mechanisms in place to protect data. If a business is deemed not to be compliant then criteria will be used to assess the level of non-compliance – a business may have certain mitigations in place to protect data, history of previous breaches, co-operation with the governing body. TalkTalk was fined £400,000 in 2017 for security failings. Under GDPR that fine would have been substantially higher.

GDPR Responsibilities

There are 2 key definitions within GDPR that need to be understood in terms of data processing:

1. Data Controller
A data controller has responsibility for the control of personal data. They are data owner. They have ultimate accountability for the safety of the data. They must ensure they have compliance – that the data was obtained fairly and is being kept for it’s identified and communicated purpose. They must manage any processors they may use.

2. Data Processor
Data processors are engaged by controllers to obtain, analyse and store data on the controller’s behalf. For example third party vendors – like MailChimp that processes data for email marketing purposes. A data processor must act exactly as they are directed by the controllers. They are responsible to the controller. A processor will need to seek permission from a controller to sub-contract any of their data processing obligations.

An Example

A company called MarketingXYZ has a set of employees and they keep personal data as part of their employment contract. In this instance, MarketingXYZ becomes the data controller. If MarketingXYZ then uses an HR software company to process and store that personal data, then the HR company is the data processor. There would be a contract between MarketingXYZ and the HR software company detailing what data MarketingXYZ is responsible for and what the HR software provider is allowed to do as the processor of the data.

Do I need a Data Protection Officer (DPO)?

The regulation states that if a data controller or processor who is engaged in ‘large-scale systematic monitoring of individuals (for example, online behaviour tracking), needs a DPO. There was a view at one time that by large scale it meant organisations with 250 employees or with 5000 records. This was refuted by the Information Commissioner’s Office (ICO) in June 2017. The general guidance is – assume you need one unless you can defend why you don’t.

So that’s the basics on GDPR, to get you started thinking about it and how it applies to your business. Start to think about:

  • the data you hold
  • why you hold that data
  • how you got that data
  • what you do with that data
  • what third parties may be involved that data

For more information on GDPR :

ICO’s Guide To GDPR

Next time I’ll take a closer look at technical elements, requirements and work through some specific examples.


If you are struggling with GDPR Compliance and don’t know where to start Buzz Web Design & Consultancy has put together a helpful pack to get you started on the road to compliance by 25th May 2018 – GDPR Compliance Pack 


 


If you are unsure about GDPR and what it might mean for your business, feel free to contact me for a free 15-minute chat. Contact Me


Buzz Web Design and Consultancy

 

Posted in ,

Shop For Products

Subscribe For Latest Updates

Our newsletter is filled with news, resources and insights. Check our Privacy Policy for how we protect and manage your submitted data.

Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.

Free E-Book 5 Things To Fix On Your Website In The Next Week To Increase Leads

Stop wasting time on the Internet!

Like most business owners, you are probably distracted and overwhelmed by the possibilities of doing business online.

It is also true that most of us fail dismally in our online ventures. So here are five things you can do in the next week to get the needle moving in the right direction.

Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.
5-Things-To-Do-On-your-Website-to-increase-leads

More From The Buzz Blog

website-nightmares

What are the tell-tale signs of having a website nightmare?

Commons signs you're having a nightmare with your website. You're just getting enough clients When you ask people how they...
rock-paraplanning-business-card-mockup

Branding, Website and Marketing For Rock Paraplanning

Hot off the press Buzz Web Design and Consultancy have just completed delivering a branding, website design and marketing service...
Gutenberg-Image-Printing-Blocks

Gutenberg – A New Editor For WordPress

A New Editor For Wordpress Is Due To Land If you use Wordpress for your website and regularly write pages...

Subscribe

Buzz Web Design and Consultancy

Subscribe for Latest updates

Our newsletter is filled with news, resources and insights. Check our Privacy Policy for how we protect and manage your submitted data.

Please enter your name.
Please enter a valid email address.
Something went wrong. Please check your entries and try again.

Leave a Comment