The General Data Protection Regulation (“GDPR”)
The above ‘new’ data protection law comes in to force in the UK and across Europe on 25 May 2018. Regardless of Brexit it’s coming in.
In the words of our friends in Europe “rapid technological developments and globalisation have brought new challenges for the protection of personal data”. They’re not wrong -when the current data protection act was first drafted in Europe in or before 1995 the internet was still in its infancy. I don’t need to tell the members of Silicon Canal that technology has come on a bit since then! The new law seeks to address those changes.
In this article I’ll concentrate on the key issues that entrepreneurs and those involved in design and creation of technology need to be mindful of -if the use of that technology involves the processing of personal data.
What is personal data? Well it’s any information that identifies a living individual. In a recognition that technology has advanced is the slightly expanded definition of personal data which now includes such things as location data, online identifers (such as I.P addresses) and genetic and biometric data – think of Siri or Alexa holding information on a person’s voice, touch I.D, facial recognition etc.
What is processing? It has a legal definition but essentially it’s collecting, analysing, storing, using, sharing, erasure etc. of a person’s information. A practical example would be a website selling a product to a consumer. The act of collecting the customer’s details, the storage of the same, the use of it and eventual erasure is all processing.
There are currently 8 data protection principles (being reduced to 6 under the new law). By law [I’m simplifying] personal data has to be processed lawfully, fairly and transparently, collected for specific purposes, be accurate, kept up to date, kept for no longer than necessary and kept safe.
So what’s new?
A person’s right to data portability. If a person gives information to a controller (say a retailer) under a contract then they have the right to receive the information back in a machine readable format. They can then give the information to a new controller or ask the old one to pass it on. It’s aimed at introducing more competition between businesses. Examples given to date are books or songs purchased and held online that can be ‘ported’ to a new provider.
Data protection by design and by default- it’ll be a legal requirement to minimise the amount of personally identifiable information that is processed. At the design stage thought should be given as to how the purpose of collecting and using the information etc. can be met but using as little identifiable information as possible.
Impact assessments – again where any use of information, in particular, using new technologies , is likely to have privacy implications, then there needs to be an assessment of the impact upon the individual(s). This assessment and how to address the issues helps inform the design stage and, in theory, results in data protection by design.
I hope the above brief summary is of some use.
For further information please contact me via email firstname.lastname@example.org or mobile 07397 943394.
Data Protection Lawyer and Trainer