Everything we do these days occurs online. From paying bills to reading articles to talking to friends to controlling our heating and lighting, every aspect of our lives somehow involves online communications. That means a lot of data going from our hands to the hands of private companies, some of whom will collect as much data as they can about us and make as much money as they can from it. Some estimates have suggested that the data industry around the world is worth around $3 trillion.
These companies collect our data for a variety of reasons. While many of us know these companies are collecting the information, we have to trust them to keep that data safe and make sure it doesn’t fall into the hands of people that could use it for nefarious means. To ensure that our information is kept as safe as possible, some global privacy laws have been written and implemented. The most well known of these is the European Union’s General Data Protection Regulations, or GDPR.
WARNING! WARNING! YOU HAVE BEEN WARNED!
Necessary disclaimer here: I am not a lawyer. I am not legally trained. I have very little understanding of legal principles in general. The content of this post is generated through articles found online and do not in any way, shape or form, constitute legal advice, especially legal advice pertaining to data protection legislation that you are covered under. If you have any questions, consult a legal professional, especially one trained in understanding data protection legislation.
What is the GDPR?
The GDPR was a law passed by the European Union in May 2018. The purpose is to protect the data of EU citizens and includes aspects such as cookie consent tools and the “right to be forgotten”.
The Internet rarely forgets. But when it does ...
If you want to know more about the "right to be forgotten", check out the post on my Instagram feed. It's probably the most ironic aspect of the law, and definitely one of my favourites.
This was hailed by some as a great move in protecting the privacy of citizens, but not everyone agreed. Nevertheless it came into force on 25th May 2018. While it originated from the EU, the impact was global. The law protects the data of EU citizens and requires any company that processes the data of EU citizens to comply with the regulations, regardless of where you are based. These rules were part of a wave of new data regulations that have changed in some ways how our online data is used.
What does GDPR actually do?
GDPR sets out what companies can and cannot do with information it collects about you, sets out requirements that companies must adhere to in order to lawfully collect, process, and store information about you, and sets out the consequences for any breaches of these regulations. This information is considered “personally identifiable information” and includes the following:
- Your name
- Telephone or mobile number
- Home or work address
- Date of birth
- Gender identity
- Racial identity
- Religious and political affiliations and opinions
- Bank account details
- Passport number
- Social media posts and contact information
- Computer’s IP address
- Health records
These are just some of the items that are considered “personally identifiable information” – the list is far longer than this. Laws such as GDPR have their own lists of information, which may have things that other lists won’t.
What do I need to know about GDPR?
There are three important aspects of GDPR that you need to remember. You’ll find these referenced in security articles and by analysts, and they are thus important to remember:
Privacy by Design is the idea that websites and systems should be built to be private, rather than privacy added as an afterthought. One of the core principles of Privacy by Design is that your information is kept secure and that there are as few breaches as possible. Two ways this can be done best are by keeping the information collected to a minimum, and by keeping data security at the forefront of any design and implementation.
Obtaining consent is simply asking users for their explicit permission to process their data. This tends to be the default position for companies as new privacy legislations result in new technologies and new processes that get added later. Companies looking at Privacy by Consent as a means of data privacy explain their data collection policies and practices as clearly and simply as possible, and ask users to explicitly give their consent and agree to them.
New users have certain, specific rights to data privacy under the regulations. It’s important to understand what these rights are, both for your protection and the protection of your customers.
- You have the right to know how your data is collected and used, as well as to know who uses and processes your data.
- You have the right to ask what information is collected about you, without being required to pay anything.
- You have the right to have information about you corrected, if there are any mistakes in your data.
- You have the right to have your data deleted from records (sometimes called the “right to be forgotten”).
- You have the right to refuse data processing requests as you wish. For example, you can allow your data to be processed for ordering purposes, but not for marketing purposes.
These rights are not absolute and can be restricted if they are misused or abused.
Does GDPR apply to me?
If you own a business that targets users in the European Union, then GDPR applies to you. If your site collects any information about users, including email addresses for contact forms, comments, or mailing lists, you need to abide by GDPR regulations. If your site doesn’t collect information or sell products to visitors in the EU, you should be in the clear. It is worth checking, just to be sure.
Does the GDPR still apply in the UK?
Yes, it does. The UK became a signatory to GDPR before Brexit happened, and so GDPR was written into UK law. The Brexit transition phase ended on 31st December 2000 and the UK was removed as a member of the European Union, but the GDPR was retained in UK law as the UK GDPR.
Because the GDPR was kept almost in its entirety, much of the legislation applies. The only significant difference is that it applies to all businesses that target users in the United Kingdom, not the wider European Union as it did before.
When you are looking at GDPR and how it applies to you, you will notice some terms that may sound complicated or technical. It’s important that you understand at least these terms as they are mentioned throughout GDPR processes and legislation.
Data Subject
A data subject is a person from whom a company collects information. That would be you on this website, or me on your website.
Data Controller
A body or an entity that gathers and stores information. On this website, there are a few data controllers. Sonetel is one data controller for this website, as they store information on their systems from this website.
Data Processor
A body or entity that processes data, regardless of the source. That would be me on this website, as I am responsible for reviewing and responding accordingly to information submitted on this website.
Supervisory Authority
A country’s data protection authority. For the UK, that would be the Information Commissioner’s Office or ICO.
Data Protection Officer
A single point of contact to handle all GDPR activities and paperwork. Larger companies tend to appoint a specific person or department and task them with reviewing privacy policies and activities. For this website, that would be me.
Subject Access Request
A request from or on behalf of a Data Subject for a copy of the information held by a company or organisation about the Subject. As part of such requests, Subjects can also make a request to verify the company is processing their data lawfully.
What happens if the rules are breached?
The GDPR defines a data breach as “a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” In the event a breach is discovered, the company that controls and processes your data is legally required to let you know about the breach at the earliest possible opportunity, regardless of how far you are with securing your systems.
Another aspect of GDPR is the response to Subject Access Requests. It is expected that requests are completed within a month, but requests that are complicated can take extra time. Companies can extend the headline to three months, but they must still respond within a month to explain why the extension is necessary. Not doing this will also constitute a breach of the rules and a penalty will still be levied.
Penalties for not complying with GDPR are pretty severe, and can be as high as €20 million or 4% of your annual turnover. Since the legislation has been implemented, there have been some standout offenders.
British Airways
In June 2018, British Airways was subjected to a cyber-attack on its systems, which resulted in the details of around 430,000 customers being exposed. It reportedly took two months to discover the breach. The UK's Information Commissioner's Office, our data protection regulator, found that British Airways was significantly at fault and should have detected the exploits in its systems. Since the UK had not left the EU at the time, GDPR regulations came into play and the ICO sought to fine British Airways to the tune of £184 million ($250 million*, €220 million*). In October 2020, the ICO came to a decision and fined British Airways £20 million ($27 million*, €24 million*), which at the time the ICO said was still their largest fine to date.
Marriott International
In 2014, Starwood Hotels and Resorts Worldwide Inc. experienced a data breach, which was not discovered until September 2018 when they were bought by Marriott International. It was discovered that around 339 million guest records worldwide were affected as part of this breach. The ICO found that Marriott had not done enough to further protect customer information when they acquired the chain, as they were required to do under GDPR. As a result, the ICO sought to fine Marriott. The fines were applied from 25th May 2018 - when GDPR was applied. The initial proposed fine was reportedly £99.2 million ($135 million*, €119 million*). In October 2020, the ICO decided to fine Marriott International £18.4 million ($25 million*, €22 million*).
Google, Amazon, Facebook
Big Tech companies are not immune to consequences under GDPR. Google was fined €50 million (£41.6 million*, $56.7 million*) by the French National Data Protection Commission (CNIL) after it was alleged that the company did not have the legal basis to process user information for ad personalisation purposes. In September 2021, WhatsApp was fined €225 million (£187.5 million*, $255 million*) after it had been found that WhatsApp and Meta (then Facebook) had not discharged their duties properly under data protection legislation. And Amazon was fined €746 million ($846.1 million, £621.7 million) in July 2021 from the Luxembourg data protection authority, also known as Commission Nationale pour la Protection des Données (CNPD), for data breaches. Amazon are currently appealing the decision.
The UK Ministry of Justice
It isn't just private companies that have fallen foul of the rules under GDPR, and breaches of the regulations are not only limited to data being revealed or systems that could be exploited. In January 2022, the UK Ministry of Justice was given an Enforcement Notice from the ICO and faced the prospect of a fine in the region of £17.5 million ($23.8 million*, €21 million*) for failing to respond to Subject Access Requests in an adequate timeframe. There had been a backlog as far back as 2019, and the number of requests that had only received a partial response sat as high as 7,728. It was reported that, as part of the investigation by the ICO, the Ministry was found to be in breach of Chapter 3, Article 15 of the EU and UK GDPR, and section 45 of the Data Protection Act "because it failed to inform the relevant data subjects 'without undue delay' whether their personal data was being processed by the MoJ or on behalf of the MoJ and if so, to provide access to it in an intelligible form."
* Amounts mentioned are taken from online conversion services on 19th January 2022 and are for illustrative purposes only.
It is worth mentioning that these fines are for large companies. While smaller companies would be subjected to GDPR regulations and scrutinised equally, the fines they would face would likely not be as substantial.
How do I make sure I comply with GDPR?
There is no one-size-fits-all way to comply with GDPR. Some requirements will only apply to certain websites but not others, and breaking down each of the requirements of the GDPR would take a lot of time. There are three important aspects of GDPR that you must understand.
Data Protection Impact Assessment
A Data Protection Impact Assessment (or DPIA) helps you to identify the data protection risks to a project and thus minimise them. You should do a DPIA before any processing of user data, but you must perform one under GDPR if that data is highly personal and likely to be targeted by one means or another.
Your DPIA must:
- describe the nature, scope, context and purposes of processing user data;
- assess the nexessity of the user data and the compliance measures you have taken to protect it;
- identify and assess risks to individuals of potential data breaches; and
- identify any additional measures you can take to mitigate those risks.
When you are assessing the risk of data breaches and the potential for individual damage, you should consider both the likelihood and the severity of any impact to the individuals you are collecting data on. For example, a “high” risk could result from either a high probability of some harm, or a lower possibility of serious harm.
Examples of “high-risk” activity could include:
- Using new technologies
- Tracking a person’s location
- Processing genetic or biometric data (thing 23andMe or DNA testing)
- Marketing towards children
Need help writing a DPIA?
There are some useful resources on writing a DPIA available online. A sample can be found on the GDPR.eu website.
Data Breach Notifications
If a company finds they have been affected by a data breach, they have 72 hours to inform their respective data protection authority (the ICO in the UK). They also need to inform their users as quickly as is possible. It is not uncommon that companies will inform users when the breach has been fixed and processes have been completed. One way to see this is that it would be safer for users to check their information and change passwords or account details when the breaches have been fixed so as not to result in further information leaks.
Privacy Policy
All businesses need to have a policy readily available on their website that explains to users what companies do with your data. Any policy you publish must:
- Include the contact details of the company and its representatives.
- Explain why the company is collecting users’ data, and how long it intends on keeping the users’ data on file.
- Explain the rights that users have with regards to their data.
- Be written in simple language, understood by as many people as possible.
- Name each of the recipients of the users’ data, if that data is shared with another company.
- Include the contact information for an EU representative and the Data Protection Office
Help writing a good privacy policy.
Policies do not need to be written by a legal expert, but it would be highly advised that they are and that you understand everything within them. If you need a good base to work from, there are some good templates to use. Termly has a free GDPR policy generator and some reference material to help understand GDPR better, and Rocket Lawyer has a GDPR compliant policy generator, as well as other useful policies for your website and your business, although you may need to pay to download the policies as Word documents.
Useful Checklist
Unfortunately there is no such thing as The One Way™ or an Idiots’ Guide™ to GDPR legislation, or any similar regulations in your particular country. Regulations like these are fraught with pitfalls and caveats and minutiae that you really need to pay attention to what the rules say. As a very broad and generalised rule-of-thumb, you would be wise to follow these Dos and Don’ts.
Dos and Don'ts to comply with GDPR
Do...
Make sure you collect information legally and fairly
Only collect as much information as you absolutely need to
Make sure your data collection and storage systems are secure
Only store data for as long as necessary
Don't...
Don't lie or mislead users about why you are collecting their information
Don't collect and store data just because you can
Don't assume that your systems will just be ok
Don't keep data you no longer need or use
Want more information?
If you want more information on GDPR, there are some resources that you should check out. First, the GDPR section on the EU website has plenty of information if you want to look further into the legal aspects of the regulations, or you can check out the GPDR.eu website, which contains a lot more user-friendly information. There you can find the legal texts as well as resources on compliance. You can also check out the ICO website in the UK. Although this looks primarily at the UK’s obligations, it is a good resource for businesses in any country. There is also the UK Government website which has a guide to help you to understand GDPR, as well as your obligations under the UK GDPR and the Data Protection Act 2018, and you can find out more about making a Subject Access Request from Which?, the consumer rights organisation in the UK.
Do you have any resources that you have used for GDPR compliance? Do you have any questions or issues with GDPR? Head on down to the comments and let’s discuss.