Readers will be well aware that the GDPR (the General Data Protection Regulation) comes into effect in UK (and EU) law from 25 May 2018. Many will have been making arrangements to be ready for that date.
Some key changes made by the GDPR
The definition of personal data has been clarified, to make it clear that it covers not only names, addresses and telephone numbers, but also IP addresses and other online identifiers. So if you provide free WIFI in your building, and collect the IP addresses of all users, this will be caught by the GDPR.
The old rules applied to "data controllers", who decide how data is collected. The new rules will now also cover "data processors" (people who process the data). So if a property manager is given the contact details of every person working or living in a building, or has the record of every person's entry and exit in the building, they will be caught by the GDPR.
The rules for obtaining consent to use personal data are also changing. We set out below some clarity on these changes.
Busting the myths
Among all the noise being generated around the importance of compliance, a number of issues have become confused in many people's minds, and many myths have evolved. The UK's data regulator, the Information Commissioner (and the Commissioner's Office, the ICO) has issued a myth-buster, and here, we consider three of the big myths that we regularly face.
Fines won't be the maximum
It has been suggested that, because fines can now be as high as €20million, fines will be as high as €20million. That is theoretically true, but the ICO has tried - perhaps somewhat unsuccessfully given the myth continues – to dampen down that fear. With the current cap of £500,000, there have been two £400,000 fines, most recently to Carphone Warehouse for not taking sufficient care to prevent data breaches, and previously to Talk Talk after its much-publicised data breach.
The ICO is trying to make it clear that just because it fined businesses £400,000 against a £500,000 cap, it is not going to be issuing €16million fines under GDPR. I would expect fines to reach £1m or £2m for really serious breaches, but not to go beyond that for some time.
The myth of 'consent'
It is a common misconception that businesses always need consent to process personal data. In fact, they can rely on one of probably three other lawful bases for processing personal data. Most importantly, they might have a legitimate interest in processing the data, which is not outweighed by the individual's data rights.
So, for example, an estate agent instructed to sell a property can process data relating to people looking to buy properties without expressly obtaining their consent. Indeed, to force them to consent to processing before agreeing to share property particulars with them might mean the consent was not freely given.
Consent, however, is required for direct email and SMS marketing – unless a limited exemption applies. That limited exemption is: where a business has collected personal contact details in the course of a sale of goods or services, it may send electronic marketing to that person for its same or similar goods or services. That is known as the 'soft opt-in'.
A gentle start
Finally, although GDPR is effective from 25 May, no-one is expected to be 'compliant' on that date.Compliance is an ongoing journey, and businesses - which have had two years to prepare for implementation - will be expected to continue to work towards better compliance in the months to come.
One of the key aspects of the GDPR is 'accountability'. This means that businesses are expected to keep sufficiently detailed and contemporaneous records of their compliance. This only applies to businesses employing more than 250 people, but there is a myth that the whole of GDPR applies only to bigger businesses. GDPR applies to all businesses, of whatever size.