With the General Data Protection Regulation (GDPR) replacing the existing European data legislation in less than a month, many global businesses are scrambling to finish preparing for the 25 May 2018 deadline. The new law introduces tougher fines for non-compliance and breaches, and it gives EU residents more say over what organisations can do with their data.
To help businesses navigate the new law’s requirements in relation to compliance, we’ve outlined some of the key concepts and definitions in the law to highlight the notable differences between the GDPR and previous legislation. I also discuss the realities of the legislation and what responsible businesses can do to prepare for the final compliance deadline in this Q&A with my colleague, Ed Thorne, Managing Director at Dun & Bradstreet UK.
The good news is that the cornerstone definitions of the current Directive and Data Protection Act 1998 remain generally unchanged under the GDPR. If businesses have a good understanding of the concepts of “Personal Data,” “Sensitive Personal Data,” “Controller,” and “Processor,” these have not changed significantly, and they will help in understanding your responsibility.
- “Sensitive personal data” or, as it is known in the GDPR, “special categories of data,” now includes biometric and genetic data, acknowledging the rise in the use of this data in digital services. This includes things like fingerprinting, health data, and ancestry data. It excludes criminal convictions data, but in the UK, criminal convictions will still require explicit consent to process.
- “Processors,” defined as organisations that perform a task on another organisation’s personal data as a service provider, will be given legal obligations under the GDPR for the first time, alongside “Controllers.” Processors include companies such as Dun & Bradstreet, which provides data services to customers to match and append their data. In conjunction with the GDPR, the D&B EU Data Processing Agreement has been introduced for businesses that provide us with their data. It outlines specifically how we handle your data and ensures that our activities are GDPR-compliant.
- Controllers are the party that has overall control over the data. Most obligations still fall to the Controller, but it is important that businesses are aware of (a) when they are acting as a Controller and/or a Processor (businesses can have dual roles depending on the nature of work being carried out) and (b) what their obligations are as a Processor – both to their Controller and to the data-protection authorities.
The definition of a data subject has not changed with the GDPR legislation. But while reviewing the GDPR procedures, it’s worth ensuring this definition is properly captured and understood. The GDPR makes no distinction between private and business activity, and if an organisation deals with unincorporated businesses such as sole traders or partnerships, their data will be personal data, as will data regarding directors and shareholders at incorporated companies. All contact information of individuals at companies (unincorporated or not) will also be covered.
At Dun & Bradstreet, data is our business. Because of this, we’re well prepared for the evolution in data protection that GDPR represents. We’ve closely monitored the introduction and development of GDPR and ensured our practices are wholly compliant. As such, the data we supply to customers is in line with the law – but customers need to take the same care with how they process and use that information moving forward.
To learn more about GDPR, download Dun & Bradstreet’s whitepaper GDPR: An Evolution, Not a Revolution