On 25 May 2018 the General Data Protection Regulation (GDPR) came into being, this date marks the start of a new approach to better protect customer data and security.
What is the GDPR?
The GDPR replaces the Data Protection Directive 95/46/EC and is intended to regularise data privacy laws across Europe, whilst also addressing the export of personal data outside the EU. In an ever-more data dominated world, whereby privacy and data breaches form an escalating threat to businesses and consumers alike, it is anticipated that the GDPR will introduce an enhanced level of protection for all parties.
Does Brexit mean it will no longer apply in the UK?
Although the GDPR originates from the European Union, and will initiate unified regulation within the EU, it will still be operational in the UK. Brexit does not mean that the consequences of the GDPR will be unenforceable; businesses need to start making provision for the GDPR regardless of our exit from the EU. The GDPR will be live before the UK leaves the European Union and is, in fact, already in force – it’s just Member States were not obligated to comply until 25 May 2018.
Consequences of non-compliance
The fines for non-compliance have been increased so it’s so important to make sure you are confident that your business is observing the new data regulations. The GDPR has made headlines for the maximum fines it could levy (£17 million or 4% of turnover), but the focus is on protecting the individual and ensuring businesses are approaching data protection with a real commitment to getting it right.
The Information Commissioner’s Office (ICO) has an allegiance to educating organisations in this data-driven world and will use its new capacity for larger fines justly, with a focus on lesser sanctions to guide businesses towards best practice.
A spokesperson for the ICO – the body responsible for enforcing GDPR in the UK – says: “The new law equals bigger fines for getting it wrong but it’s important to recognise the business benefits of getting data protection right. There is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals – and gain a competitive edge.”
What data does the GDPR apply to?
The definition of personal data has been extended within the GDPR to include a computer’s IP address or even your genetic make-up, anything that can help to identify an individual.
According to the European Commission “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
The GDPR applies to both automated personal data and to manual filing systems – a broader specification than within the current definition.
What has changed?
The GDPR’s central values remain the same as the Data Protection Directive, so there is certainly reassurance in the fact that if you are complying with the current laws then you have a solid starting point to build on.
There are some new directives though and you might have to make changes or implement new policies.
To look at things in very basic form, businesses need to
- Keep records of all personal data that is held (employees, clients, suppliers etc.)
- Prove that consent was given
- Demonstrate where the data is going
- Show what the data is being used for
- Establish how the data is being protected.
The Information Commissioner’s Office (ICO) is a reliable source of information on the GDPR and the best way of working out the differences between the current policies and the new laws.
Key differences include:
- Accountability: increased prominence on the documentation that data controllers need to maintain to show compliance with the GDPR
- Management of data: as a corporate issue (it would be helpful to review the processes you have in place for sharing data with other organisations)
- Consent: this is the fundamental change. You must have a valid lawful basis in order to process personal data and document it.
The GDPR will be looking at how much control you are giving individuals and how you build their trust – are you giving them a positive opt in and offering them genuine choice?
Within the GDPR there is an obligation to report data breaches to the relevant authority, and in some cases the individual affected, if it is likely to result in a risk to their rights or freedom. Scenarios that could constitute a detrimental impact on an individual would include discrimination, loss of reputation and financial loss.
If a personal data breach, that impacted on rights and freedom, should occur within your business, you have 72 hours to report it. With cyber-crime posing an ever-increasing threat, data breaches are becoming so much more commonplace and it is crucial that you evaluate your approach to cyber-attacks to ensure you have the necessary protection in place.
25 May was the date the GDPR came into effect, but it is also just the beginning of a new approach and the ICO recommends that organisations seize the opportunities the new law offers.
GDPR compliance is an ongoing process that requires the continued buy-in and training of individuals across your organisation. The data you hold will naturally change with time, as will the technologies you use to process it – a proactive approach that regularly reviews your policies will enable you to more easily manage and protect your data.
As Technical Director I focus on the solutions, products and processes used to ensure the smooth-running of clients’ systems.View my profile >
Telecoms Engineer, Paul Frost, achieves his Horizon Champion accreditation.