GDPR – what you need to know
The General Data Protection Regulation (GDPR) supersedes the Data Protection Act 1998. GDPR creates new requirements for organisations that process EU residents’ personal data and allows authorities to enforce fines of up to 4% of annual global turnover.
Who is affected?
GDPR applies to everyone involved in processing data about individuals in the context of selling goods and services to citizens in the EU; this will affect UK organisations.
The big picture
The General Data Protection Regulation (GDPR) tackles the inconsistent data protection laws currently existing throughout the EU’s member states and facilitates the secure, free-flow of data.
The outgoing 1998 Data Protection Act has become outdated as technology has evolved, making much of the legislation obsolete in protecting people.
GDPR aims to create a level playing field across Europe so that everyone has the same rights with regards to their personal data.
Implementing the GDPR guidelines effectively will strengthen customer trust and confidence as the reputational damage of suffering a data security breach is extremally costly. In the long term, GDPR is a necessary step to safeguard the publics security rights in this digitised world.
For businesses, GDPR poses more restrictions on what they can do with data to gain commercial benefit. Also, the necessary structural changes can cost millions of pounds on compliance spending.
Why is this happening?
As the economy becomes increasingly more digitized, companies are holding enormous amounts of highly sensitive personal data; this data is gold-dust to cyber criminals. The fact that EU countries currently have different, and somethings conflicting, laws is creating opportunity for cyber criminals.
Cybersecurity is a hot topic in a world that is increasingly rife with cyber-attacks. It doesn’t just affect big businesses (and their customers). Whist people may be talking about the NHS, Talk Talk, and Carphone Warehouse, smaller businesses are increasingly being targeted.
Data privacy has become a priority for both businesses and individuals, with public awareness surrounding data security and privacy generating question marks over how data – which is being produced at an exponential rate – is actually collected, processed and stored.
Rapid technological advances have commoditised personal data, with GDPR set to change that with a standardised approach to data protection.
The use of the data must be made clear at the point of obtaining it. In obtaining consent for data use, companies cannot use misleading terms and conditions. Also, a company can no longer bribe people for their data. For example, tactics such as: ‘provide us your e-mail address to download this e-book’ will not be allowed. Furthermore, it must be as easy to withdraw consent for personal data use and it is to give it.
In the event of a data breach, data processors must notify their controllers and customers of the source, risks and solution within 72 hours. As most breaches happen on Friday afternoon, this will be difficult is the right procedures aren’t in place.
Right to access
The data subjects have the right to obtain confirmation from the data controller of whether their personal data is being processed. Upon being requested, the data controller should provide a free electronic copy explaining how the subject’s data is being used.
Right to be forgotten
When the data is no longer relevant to its original purpose, data subjects can have the data controller erase their data.
This is another right for the data subject, it allows the individual to obtain and reuse their personal data for their own purposes.
Privacy by design
This calls for inclusion of data protection from the onset of designing systems, implementing appropriate technical and infrastructural measures.
Data Protection officers
Professionally qualified officers must be appointed in public authorities, or organisations that engage in large scale (>250 employees) systematic monitoring or processing of sensitive personal data.
Avoid Reputational Damage
As well as the monetary loss, the reputational damage caused by being found in breach of the incoming GDPR legislation would be significant.