Since 1998, the UK’s Data Protection Act has been looking after your personal data, your digital identity but as of May 2018, it will be consigned to the scrap heap due to the introduction of the GDPR – General Data Protection Regulation – from Europe; and trust us, this new legislation is far more comprehensive than our old Act and is something not to be dismissed lightly.
If you weren’t aware of the GDPR a month ago, you may well have heard about it now with recent coverage in the media, including being the lead story on our national news stations. But what is the GDPR and, more importantly, what does it mean to you and your business or organisation?
Well, the GDPR started its journey way back in January 2012 with the European Commission. Over two years, the regulation was handed around between the Council, the European Commission and the European Parliament, finally emerging as a directive in 2016.
The GDPR, all 260-plus pages, is finally implemented in May 2018 and whilst it’s not on everyone’s reading list, its key fundamentals should be part of everyone’s knowledge. Yes, it is a set of terms and conditions when it comes to handling personal data, and that’s the key reason why the majority of us in the business world need to know and understand the basic requirements of the GDPR.
GDPR’s Key Fundamentals
- Personal Identifiable Information; or PII 2.0 – within the GDPR, personal information is covered in much more detail. Essentially, it’s no longer just the attributes that only identifies a person directly, i.e. a name and/or address. The GDPR incorporates indirect attributes too, including psychological, genetic, cultural, economic and social identity.
- Try and run; but you won’t be able to hide – where you are located geographically, the GDPR is applicable. So, if your organisations sells services or products to the European Union, or the organisation holds the personal information of an EU citizen, they are now liable under the GDPR for any breach of data loss and could face serious fines.
- To tick or not to tick the box – in the GDPR, there has to be clear consent to allow the processing of somebody’s private information, or data; and the word ‘clear’ is of importance. Being inactive is no longer sufficient and is not considered a form of consent. And those tick boxes found at the bottom of online forms? From May 2018, when the GDPR becomes effective, those boxes must only be used for opting in; ticking by default will no longer be allowed.
- Recruiters, get ready for the DPO – organisations and public authorities that currently systematically monitor, as well as process personal data on a grand scale will be expected to employ or appoint a Data Protection Officer, or DPO. Under the GDPR, this new role will need to have a wide knowledge and understanding of data protection law. Their role will incorporate assisting with impact assessments, oversee changes to personal data processing, and monitor the how, why, where and when of personal data accessibility.
- First step; it must be reported – currently, organisations are not obliged to report the loss of personal data. However, the GDPR changes that by specifying that any breach or data loss has to be reported to the relevant data protection authority within 72 hours from the point that the breach of loss of data was discovered by the organisation. The only time that this is not an absolute requirement is if exceptional circumstances are in existence.
- Ah, don’t worry about it – this is one for the social networks and is a key change – the person’s right to be forgotten. A data subject is now able to request that their data is erased, or they can withdraw their consent which means that their personal data cannot be processed any longer. The subject company that receives such requests must comply.
- A bob or two – this element of the GDPR has probably caused more consternation than anything else; the fines, or punishments, for not complying, negligent or intentional loss of data are high. In the worst case scenario, any fine could potentially reach EUR 20,000,000 or 4% of global annual turnover for the preceding financial year.
Whilst we have simplified the GDPR requirements, it is still very evident how much the GDPR will impact businesses and organisations in the future. Don’t make the mistake of comparing it to the current Data Protection Act. The gulf between that and the GDPR is as big as an ocean. Without doubt, the GDPR is way more comprehensive and will alter the way we not only think about personal data, but also how we process and interact with it.
A 'bury-my-head-in-the-sand' approach to managing personal data just won’t cut it from May 2018. It’s now a race against time to ensure your business or organisation is ready for GDPR, and is able to comply with its requirements.