Whenever GDPR comes up, I like to gauge the knowledge in the room by asking things like:
I was quite surprised that not everybody had even heard of GDPR. We recently published a series of four blogs on the twelve things you should be thinking about now to get ready for GDPR. If you are one of those who have not heard of GDPR however, keep calm and read on.
The GDPR or General Data Protection Regulation replaces the Data Protection Directive enacted in 1995. According to IBM, 90% of all of the data ever created in the history of the world has been created in the past two years. So, it is easy to see how a regulatory framework developed in the early 90s could be a little out of date.
These new regulations will come into force on 25 May 2018 and will apply to all companies processing the personal data of people living in Europe. The law applies to all businesses regardless of where they are based, which inevitably leads to the question: “what about Brexit?” First, the government has stated and reaffirmed numerous times that GDPR will become the data protection regulation for the UK after Brexit. Additionally, if you’ve done your maths, you have already figured out that the UK will still be in the EU in May 2018.
As I said above, these new regulations apply to any company processing data of people who live in the EU. In other words, like the Data Protection Directive, that’s all data controllers who hold and process data on people living in Europe or to put another way – you. Unlike the previous regime however, GDPR lifts the data processor’s veil. Under the old regime, data processers were protected as long as they were following the instructions of the data controllers. GDPR also includes data processors; in other words, us.
Similar to the Data Protection Directive, the GDPR only applies to personal data but it does extend the definition of personal data to include things like online identifiers, location data and advertising IDs. GDPR also defines ‘special categories of personal data’ which is particularly sensitive such as genetic data which is not something most email marketers will have on their database but it also includes biometric data which could become more prevalent in marketing databases as we find ever better ways to use VR for marketing and entertainment.
The Data Protection Directive set out a set of principles for processing personal data which are largely unchanged in GDPR. The new regulations do add some detail to these principles as well as add a new principle around accountability. This new accountability principle requires you to not only comply with the data processing principles laid out in the GDPR, but also show ‘how’ you comply with the principles.
The principle laid out in Article 5 of the GDPR that personal data shall be:
The GDPR is an evolution rather than a revolution in data privacy regulation and this applies to how it defines the rights of individuals. Most of the rights stay the same; some strengthened and some new ones as well. Individual rights are:
There you have it – a whistle stop tour of the GDPR. If you are curious as to what you should think about next, I encourage you the read our four-part blog series on the twelve things you should think about now: