GDPR – The basics in 5 minutes

 This is a guest blog by Patrick O’Kane, author of the book "GDPR- Fix it Fast! Apply GDPR to Your Company in 10 Simple Steps.”

People are starting to complain about GDPR overload. The emails, webinars and articles about it are coming in from left and right. Sometimes they obsess so much with the detail that it is hard to know what practical steps your company should be taking on GDPR.

This article sets out some of the basics on GDPR.

Which companies does it apply to?

GDPR applies to all companies in the EU that process personal data.

GDPR also applies to all companies outside the EU that offer goods and services to people in the EU.

For example, a US company that markets and sells its shoes to UK customers is caught by GDPR.

Equally, an Australian company that offers an online dating service to French customers is also caught.

Those £17m/$17.7m fines – What do I need to know?

The maximum fine for breach of GDPR is 4% of global annual turnover or 20 million euro (whichever is higher). These fines will usually relate to a breach of a data subject’s rights or any of the basic GDPR principles.

There is a lower tier of fines of 2% of global annual turnover or 10 million euro (whichever is higher) for administrative breaches.

Article 83 of GDPR says the fines must be “proportionate” to the GDPR breach.

What are these new rights I keep hearing about?

There are numerous data rights set out from Articles 12-23 of GDPR. These will give you new powers to potentially erase embarrassing posts from social media. You also have the potential to transfer all your details from your old mortgage provider to your new mortgage provider. 

These could merit a separate article so let me introduce you to two of them today (there are more details in my book here).

The Right to Data Portability– Article 20 –

The right to data portability is an entirely new right. It means customers have a right to demand you collect all of the data you hold on them and to transfer it over to a new provider. A company must comply with such a request within one month (usually) and must provide the transfer free of charge. The customer only has this right where it is technically feasible for the company to transfer the data. There are certain restrictions to this right.  Let’s say, for example, that Kate has been banking with her old bank for 10 years. She’s decided to change to a new bank and wants to take all of her financial records with her. The right to data portability allows Kate to ask her old bank to transfer all of her data to her new bank in “a structured, commonly used and machine-readable form” This means the old bank must transfer the records in a way that is easy for the new bank to use. 

 The Right to Erasure - Article 17 –

This allows the customer to wipe his data off your systems and to make sure that any third-party with which you have shared the data does so also. The right to erasure is not an absolute right. There are several restrictions. For instance, a company may retain customer data in anticipation of a legal claim. Let’s say Megan booked a hotel for her wedding reception. Megan was very unhappy with the service on her big day, and most of the wedding party complained about the food. Megan was upset and has threatened to sue the hotel. She demands the hotel immediately wipe her data from their systems. There is a strong reason here for the hotel to retain some of the Megan’s data because they anticipate that she may take legal action.

Patrick O’Kane is a data privacy expert and lawyer (barrister). He is the Data Protection Officer for a Fortune 500 US company. He helped lead a major GDPR implementation project across a group of 30 companies, and has written a book on GDPR entitled “GDPR - Fix it Fast.” www.gdprfixitfast.com