What is the General Data Protection Regulations?
The General Data Protection Regulation (GDPR) is a new EU-wide regulation that introduces wide-ranging, new data protection rules. It will replace the Data Protection Act of 1998 (DPA) and be augmented by the UK Governments forthcoming Data Protection Bill.
The GDPR is widely seen as a global game-changer in data protection, with probably the strictest rules anywhere in the world.
Why should I care?
The GDPR will change the rules for any organisation that stores and processes data about humans – so almost all organisations.
The deadline for complying is 25 May 2018 and it will take effect irrespective of the process or outcomes of Brexit and there is no transitional period so you need to be ready on that date.
Fines have been very substantially increased, potentially running into millions of pounds, even for small companies. The Information Commissioner's Office has already expanded its staff by 40% in May 2017 to prepare for increased enforcement.
When thinking about GDPR, do not think in terms of old-school, mechanistic rules about data protection. The law reads and acts more like human rights legislation; the core principle of the regulation is to " protect the fundamental rights and freedoms of individuals". The regulation is deliberately vague on specifics and it doesn't, for example, set out a specific list of data items you can or cannot store, nor does it give specific rules on how long you can store data. Instead, the law sets out principles for what you can do with the data – the main focus is on the processing of data.
As a rule of thumb, think about what the best possible situation would be for you, as an individual, with regards to what organisations should be allowed to do with your data: there is a pretty good chance that this is what the regulation says.
For software designers, builders, operators and owners, there are some key highlights;
- Consent You need to obtain consent for anything you do with people's data. Consent needs to be given freely and it must be possible to withdraw consent as easily as it was to give it.
- Subject Access Request Anyone can ask you for a copy of all the data you hold on them – and you must, in most cases, provide it for free.
- Retention and Erasure You must only keep data as long as you need it. And individuals have a right to ask you to delete it at any time.
- Profiling and automated decisioning Individuals can challenge decisions made by an automated system and have a right to have it re-done by a human.
- Children The rules for processing data on anyone under the age of 16 are much tighter than ever before and include a requirement to get a legal guardian to consent on their behalf. Some member states, including the UK, intend to reduce this threshold to 13 years of age.
- Encryption Whilst the GDPR does not explicitly require you to encrypt data , it is strongly recommended in the regulation.
- Secure Systems must be "secure by default and by design".
- Reporting You must now report data breaches that causes a risk to the rights and freedoms of individuals to the ICO within 72 hours of becoming aware and directly to the affected individuals where there is a high risk to them.
- Contracts Your contracts with other people you use to process data or share data with, including cloud providers, email providers, marketing companies, affiliate partners, SaaS providers, possibly your customers etc need to be updated to include specific GDPR guarantees.
You can download the full text of the regulation. If you are responsible for software systems, it is advisable to download this and at least read the "recitals"; basically the principles set out in plain English.
Controllers and Processors
You will see the phrases Controller and Processor a lot, so let's define those terms.
The Controller is generally the entity who owns the data and Processors are everyone else who does something with the data.
If your software system is used by your organisation to conduct your business, then you are probably the Controller. If you offer a SaaS solution, then the Controller is likely to be your customer and you will likely be a Processor.
In addition, anyone else who is involved in processing the data is a Processor. This includes your hosting provider, your email service provider and so on. If you use NewOrbit to manage your system then NewOrbit is a Processor.
There are strict obligations on Controllers to have contractual relationships with all their Processors to ensure adherence to the rules. This also means that wherever your Processors are based whether inside or outside of the EU, it is up to you as the Controller to ensure they are complying with the GDPR requirements. Do note that this is a separate issue from that of transferring data outside the EU, which we won't cover here.
Scope of these posts
These posts are written specifically for software owners, designers, developers and ops, which naturally limits which part of the GDPR on which we focus. Even so, there are a range of subjects, that may be relevant to some software products, which we have excluded, including but not limited to;
- Aggregation from other data sources; i.e. if you buy lists or scrape data from websites etc.
- The right of people to correct their data and the related right to temporarily pause (restrict) processing of data.
- Special rules and obligations for public sector organisations.
- Special rules and obligations for large organisations.
- Transferring of data outside the EU. Suffice it to say, there is plenty of scope to do so, you just need to do it right.
- The need for a Data Protection Officer. If you need one, you probably already know. See Recital 97 for some notes.
There is an element of hype surrounding the extent of the GDPR and some of that hype is probably not warranted. As far as a software system is concerned, you should consider everything it does and what you do with it to be covered. However, things like day-to-day word documents and emails that you have on your computer are probably not covered, though it depends on how you store them (See Recital 15 and Article 4, paragraph 6 for more details).