GDPR: Everything You Need To Know About The New Data Privacy Rules

24 May 2018, 15:20 | Updated: 28 October 2019, 15:53

New GDPR rules come into force on Friday. This is everything that you need to know.

The GDPR, General Data Protection Regulation, is Europe’s new framework for data protection laws.

It replaces the previous 1995 data protection directive and will be enforced by the Information Commissioner’s Office (ICO).

The new regulation begins on the 25th May 2018 and will not be affected by leaving the European Union.

GDPR introduces new fines for incompliance, obligations for better data management, and new rights to allow people to access the information held about them.

GDPR rules
GDPR rules. Picture: PA

What does personal data include?

The types of data a company can hold on an individual will vary depending on the type of business it is but typically includes a person’s name, contact details, location history, and internet browsing habits.

Data also includes dates of birth, appearance and behaviour including eye colour and character traits, workplace and education information, including student numbers and salary. Private and subjective data such as religion, political position are also considered data, as is health or medical history and details on sick leave.

The GDPR defines ‘personal data’ as:

“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Information can be considers as data either on its own, or combined with other data.

What is active consent to giving personal data?

The new GDPR rules requires an active and affirmative consent from individuals it collects data from.

“‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

You may have recently received emails from companies asking if you want to “stay connected” or asking to “review your terms”.

This means that companies can no longer use pre-ticked boxes or opt-outs that allow for ‘passive’ acceptance.

Companies need to keep a record of when, and how, an individual gave consent and make it easy for somebody to withdraw consent whenever they wish.

How can individuals request data companies have on them?

People can ask for a copy of all the data companies, which must be supplied within 30 days.

A Subject Access Request (SAR) does not need to be in any format, as long as the request is made in writing.

The key differences between SAR requests made under the new GDPR over the Data Privacy Act are cost and time.

Where companies were originally allowed up to 40 days to respond, they now have just 30.

Special rules apply when the date falls on a national holiday or weekend, when businesses are allowed to respond until the end of the next working day.

And a £10 cost for making a request has been removed, however a company can charge a "reasonable fee" when a request is manifestly unfounded, excessive, or repetitive.

Do companies have to report data leaks?

Companies have to report all data breaches, including cyber attacks and accidental leaks, to authorities within 72 hours of being made aware of them.

A leak can also be the result of lost or stolen computing devices, and also includes the alteration of personal data without permission.

The ICO says that if a result is likely to result in a high risk of adversely affecting individuals' rights and freedoms, the company must also inform the individuals without delay.

What happens if a business breaks the GDPR rules?

The Information Commissioner’s Office has the authority to fine companies 4% of global turnover, or up to €20 million (£17m).

Other penalties include warnings and reprimands; imposing a temporary or permanent ban on data processing; ordering the rectification, restriction or erasure of data; and suspending data transfers to third countries.

Will GDPR rules apply after the UK leaves the European Union?

The government has confirmed that the GDPR rules will still apply to the UK after Brexit, as it is included in the Data Protection Bill currently going through parliament.

The GDPR will apply to all businesses that offer services in the EU, regardless of what country the company headquarters is based. This means that an American company will have to apply GDPR rules if it has business in the UK or other European Union countries.

Mark Zuckerberg confirmed to EU officials on Tuesday that Facebook will be ‘fully compliant’ with the GDPR.

“We’re going even further to comply with these strong new rules, making these same new controls and settings available to people who use Facebook around the world,” Mr Zuckerberg said.

He also described a new tool called ‘clear history’ that allows users to remove the associated data with their account, similarly to deleting cookies and cache in a web-browser.