Data protection is a hot topic just now, and you’re going to hear a lot more about it over the coming year.

Changes set to come into force in the UK are the result of a pair of EU Directives, which together form a framework intended to guarantee the rights of citizens across the continent to a private life.

One of these, the Data Protection Directive, focuses on the police and legal profession, and sets out to ensure that data relating to victims, suspects and witnesses of crimes is kept secure while it is being used for a criminal investigation or action by the law enforcement agencies.

But a much more far-reaching piece of EU legislation is likely to be the General Data Protection Regulation, already commonly being referred to as the GDPR. It is designed to give individuals better control over their personal information, and one of its overall aims is to enhance trust in the digital version of the EU Single Market.

Running to 204 pages in its unabridged version, the GDPR is currently in the midst of a two-year implementation period, and is due to start being fully enforced by authorities across the continent in the middle of next year.

What does the regulation class as personal data?

The original EU directive and resulting GDPR both class personal data as any information relating to an individual by which that person can be identified. It can be a name, reference number, location data or any other identifier used to distinguish one individual from all others.

By extension, that means that identifiers include IP addresses and cookies if, without any undue effort, they can be linked back to the subject of the data.

The rules also make no distinction between personal data identifying an individual, whether it is gathered and kept in their private, public or work capacities. In all these contexts, the individual is the individual, and all relevant data which can identify them – whether it is related to their physical, physiological, genetic, mental, economic, cultural or social identity – must be kept secure.

How will the regulation change things?

Its main purpose is to put into place a single set of rules and standards to apply throughout Europe. Its promoters and the EU policy-makers behind it believe that this will make it easier and cheaper for companies wishing to trade within the EU.

The regulation will automatically apply to any entity outside the EU which, in the course of its work, collects data about citizens of the bloc. By only obliging businesses and organisations to deal with a single supervisory body, the EU claims it will save businesses €2.3 billion in annual costs.

Direct marketing exception

In line with changes which have taken place in the ways in which businesses collect, process and use data to help inform their marketing and promotional efforts, data which is held and processed for “direct marketing purposes” is considered a legitimate interest. Like consent, this can be used by a business or organisation as grounds for holding and processing data on an individual.

Such processing of data is allowed if it “is necessary for the purposes of the legitimate interests pursued by the [data] controller or by a third party”, i.e. for them to carry out their lawful business.

So, for example, it could still be considered legitimate for goods and details of services to be sent by mail to existing and prospective customers if they are recorded as having bought similar items in the past.

However, one common action currently carried out by many in marketing which will now require an individual’s consent is what’s called ‘profiling’ – namely, the process of construction and application of user profiles generated by computerised data analysis.

And importantly, the EU’s rules do not define what is meant exactly by ‘direct marketing’, so the common legal view is that data processors need to consider the precise nature of any marketing activity to which these grounds will apply.

What many businesses will need to be mindful of, however, will be that big increases are in the pipeline for fines which can be levied on a business or organisation which does not comply with the new regulation. At the top end, there is the potential for fines of €10 million or two per cent of the entity's global gross revenue for failure to comply.

A far-reaching consequence of the rule changes is expected to be that stronger measures to ensure that data remains secure will be built into products and services as they are designed.

Full details and the entire text of the GDPR can be found at http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf, while an official EU press release announcing the implementation timetable for the regulation is here: http://europa.eu/rapid/press-release_IP-15-6321_en.htm.