25 May 2018. The date from which the General Data Protection Regulation (‘GDPR’) will apply in the UK. For some time now, businesses have been bombarded with dire warnings of the consequences of non-compliance with the new rules. Most of the companies we work with have GDPR on their radar, and they are well aware that it brings hefty sanctions. But there is some uncertainty over what data GDPR actually applies to, and whether personal information controlled and processed by individual businesses is caught by the new regime.
IT’S ALL ABOUT THE INDIVIDUAL
The whole focus of GDPR is the individual. The legislation itself describes data protection as a ‘fundamental right’. The UK Data Protection Act, 1998 (the ‘DPA’) – the law that GDPR replaces – already imposes strict data protection requirements on businesses. But in an era of technological advances and ever more sophisticated methods for companies to access and analyse personal information these safeguards are no longer sufficient. So, while both the GDPR and the DPA both apply to ‘personal data’ the GDPR extends the meaning of that term. In addition for those businesses that wish to process personal data, obtaining the consent necessary to do so has been made significantly more onerous. Our team provides tailor-made GDPR compliance solutions to a range of business entities in the UK and overseas.
THE EXTENSION OF ‘PERSONAL DATA’
GDPR takes the existing definition of personal data (‘any information relating to an identified or identifiable natural person’) and extends it to include location data, genetic data and online identifiers such as IP addresses and mobile phone IDs. This means all of these pieces of information are regarded as personal and deserving of the full protection of the rules. The inclusion of online identifiers will impact in particular those companies doing business online.
WHAT IS ‘SENSITIVE PERSONAL DATA’?
Some personal information is considered to be so sensitive that companies are considered to have a greater responsibility to the individual when handling it. Currently sensitive data includes details about an individual’s health, racial or ethnic origin, political opinions and trade-union membership. Under GDPR it will also include genetic data or biometric data. The new legislation also amplifies what is meant by health data to include information about the provision of health care services that reveals information about an individual’s health status.
If a business wishes to process sensitive personal data it will usually be obliged to get the individual’s explicit consent before doing so. In certain circumstances a full-scale impact assessment will have to be carried out.
REDUCING THE IMPACT OF GDPR: ‘PSEUDONYMOUS DATA’
Companies can reduce their GDPR compliance obligations through so-called ‘pseudonymous data’. It’s a concept that’s new to data protection law, and GDPR encourages it. It involves processing personal data in a way that makes it impossible to connect it to an individual without using additional information. Technology like encryption enables companies to modify data in this way. Although still technically ‘personal data’, pseudonymous data is not subject to the full rigour of the GDPR rules. For example there are less onerous requirements to report data breaches and a reduced obligation to obtain the consent of individuals when using the data.
It’s worth pointing out too that data that is completely anonymised – where it is impossible to identify the individual from the data – is not subject to GDPR rules.
In advance of GDPR all companies, in particular online businesses should examine the data they hold and how they use it. Big Data Law works closely with UK and overseas companies to steer them toward GDPR compliance. If you have concerns about any aspect of GDPR you can contact our team in confidence by calling +44 (0) 7545 813 894 or by completing the online enquiry form.