The purpose of this article is to help you work out how your business might be affected by GDPR. Indeed, clients often ask if the information they handle in the course of their business will be captured by this new law. For particular full and comprehensive advice on how GDPR might be applicable in your situation, please contact us.
GDPR is Europe’s new framework for data protection laws, replacing the previous 1995 Directive. It took effect in all EU member states on 25 May 2018. In the UK, the Data Protection Act (DPA) 2018 also came into force on 25 May 2018. As such, the new law will still be relevant in the UK post-Brexit. GDPR seeks to give data subjects further control of their personal data, whilst also imposing enhanced rules on those who then deal with this data.
GDPR is primarily concerned with the protection of personal data. GDPR defines personal data as “any information relating to an identified or identifiable natural person (data subject).” Examples of personal data would therefore include; personal information such as a name and address, family details, lifestyle and hobbies and education and training. Also caught would be health-related information, employment data, financial information and contractual information (for example, goods and services provided to or by the data subject). If the information that you collect includes personal data, GDPR will be applicable to your business. As a result, you would be required to comply with the obligations conferred upon your business by this law.
The penalties for a failure to comply with GDPR include two levels of fine. The first category of breach can be punished with a fine of up to €10 million or 2% of global annual turnover (whichever is higher). The second category of breach can be punished with a fine of up to €20 million or 4% of global annual turnover (again, whichever is higher). As you can see, the magnitude of these fines are substantial, and therefore it is essential that businesses comply with GDPR.
Please note, however, that GDPR does introduce a new concept known as “pseudonymisation”. This is where personal data is processed so that it can no longer be attributed to a data subject without providing additional information. While pseudonymous data will be treated as personal data, it will not need as stringent protection as direct personal data. Pseudonymising data allows companies to collect certain data that does not contain personal information, and thus is not within the remit of GDPR. This could be beneficial in market research situations, for example.
This article has sought to demonstrate how businesses must be cautious when collecting data that is personal in its nature, and adhere to GDPR where this is the case. However, it is important to note that not all data will be captured by GDPR, and it may be that your business can benefit from pseudonymisation.
If you have any queries relating to the GDPR on which you would like further advice, please contact us.