GDPR legislation: fact and fiction

Woman with data surrounding her and a screen with a padlock infron of her face.

On May 25th 2018, the new General Data Protection Regulation (GDPR) comes into force across the EU. There has been a lot of media attention (and a fair amount of scare-mongering) about exactly what GDPR involves. LGFL Director Anne Leiper sorts legal fact from media-fuelled fiction.

The new GDPR legislation is causing a lot of concerns amongst the business community, but in essence it’s an enhanced and updated version of the current Data Protection Act and Privacy and Electronic Communications Regulations (PECR) we already have in the UK.

GDPR clarifies and defines who owns data and how it may be used. It ensures that all member states of the EU (and anyone who trades with them) work to the same standards of data acquisition, use and storage. It really is as simple as that.


Penalties for data breaches and infringements

What has caused the headlines is the massive increase in penalties that national data authorities (such as the UK ICO) can impose on those who are in breach of the regulations. When telecoms company TalkTalk failed to prevent a major cyber attack in October 2015, the ICO fined the company £400,000. Under the new regulations, the maximum fine will increase to EURO20million, or 4% of gross turnover, whichever is the greater. At the time, that could have equated to over £70million for TalkTalk.

This is what many companies are concerned over. However, as Information Commissioner Elizabeth Denham said in her speech to the Data Protection Practitioners’ Conference in April:

“The misinformation about massive fines being an ICO default under the GDPR prompted the first in my series of myth-busting blogs last summer… Enforcement is a last resort. I have no intention of changing the ICO’s proportionate and pragmatic approach after 25th of May. Hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law.”

So, what exactly is GDPR and how might affect you, and your business? Let’s start with how it affects you personally as what the legislation refers to as the ‘Data Subject’.

Access to your personal data

As the data subject, GDPR puts you in control of your personal data, and recognises you as the owner of your personal data. In the past, for example, a company might think that if they had purchased a mailing list with your name and address on it, they owned that data. This is not the case under GDPR. You own all your data - and therefore you can control it.


What is personal data?

The definition of personal data is central to GDPR.

“‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”

GDPR Article 4 para 1

In essence, this means that any data that can be traced back to a real person is personal data. (Much of GDPR is this kind of common sense approach, even if it is coached in somewhat odd terminology). So, this could be your name, birth date, address, phone number or even your mobile device ID number. It also covers your social media posts, your online photos and any Internet of Things data gathered by devices, from smart fridges to fitness bands.

Talking of health data, this comes under the category of Sensitive Personal Data, which would also include information on your race or ethnicity, sexuality, trade union membership or political affiliations.


Why personal data is required

We all know that a certain level of personal data needs to be kept by companies and organisations to provide goods and services, from purchases tracking to health records. What has changed is your right as an individual to know what information is being held by companies, why they need to retain it, what it will be used for and, if necessarily the right to ask for it to be deleted. This is known as Right of Access and Right to Erasure respectively.

This is where the GDPR regulations really come into their own. Organisations will now need to define which of five ‘lawful basis’ they keep your data under, and these in turn define how they can use your data. They now have a legal duty to disclose, for free, what information they hold on you, on request. They will also need to keep your data secure and minimise the data they keep to just what they need.

So, for individuals, GDPR is a great leap forward in keeping up with technology and keeping tabs on our data at the same time. If properly implemented, it should reduce data breaches, or at least minimise their impact due to more secure data storage and understanding of responsibilities.


Businesses and GDPR

For businesses, GDPR is a great opportunity to assess exactly what data they hold, what they need it for, and ensuring they have your consent to use it for marketing purposes, for example.

  • Businesses that collect data and use it themselves in-house are Data Controllers. They will store and ‘process’ (i.e. use) personal data as part of their business, including maintaining your account or contract.
  • Businesses that use or control data on behalf of a Data Controller are a Data Processor.
  • If sensitive personal data is involved, or regular and systematic monitoring of individuals on a large scale, organisations and businesses will require a Data Protection Officer.

So, most businesses just selling goods or services will be Data Controllers, for example. So far, so good.

Lawful basis for processing

Each organisation/business must assess what data they hold and what they use it for, as well as how they request it. They need to categorise their data under “lawful basis for processing”. As the ICO explains:

“There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.”

The six lawful bases are:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public Task
  • Legitimate interests

Once a lawful basis has been chosen for a data set, it cannot be changed later. This is why choosing the right basis is an important part of GDPOR compliance. It is also a task that all organisations and businesses must do for themselves, and then adhere to the rules of each basis across the organisation.

The excellent information and resources at the ICO can guide you through this:


Preparing your business for GDPR

GDPR is coming, and your business needs to be prepared for it. Choosing the lawful bases is one step towards compliance, and your business will need to invest time and resources to complete all checks and make any changes. Again, the ICO has an excellent “12 steps to take now” document outlining what your business may need to do to be compliant.



At LGFL Ltd, we are very much aware that in order to serve your best interests, we will ask for and record data on many aspects of your personal life. Rest assured, we always take the security of your data extremely seriously.