By now you will almost definitely have heard of GDPR, but what do you know about the oncoming General Data Protection Regulation?
The EU describes it as the most important change in data privacy in 20 years. Governments are creating new bodies to enforce it and expanding existing departments to avoid falling foul themselves. Despite the fact it was agreed in 2016, many business owners still aren’t sure what to expect on May 25th.
Purpose
GDPR has been introduced to bring legislation up to date with the changes in data collection and utilisation. Not since 1995 has there been EU-wide changes to data regulation. UK business owners may be more familiar with the Data Protection Act launched 1998. These predecessors of GDPR remain intact however how they are enforced, particularly in the UK, will change. After all, the DPA predates the original iPod, Facebook and Spice Girls breaking up.
The act will see the onus put on companies to show they are using data legitimately. On May 25th you’re in the wrong until you prove otherwise.
Enforcement
Alongside GDPR, you can expect to hear ICO more and more often in 2018. In the UK, the Information Commissioner’s Office will head GDPR enforcement. The ICO will also advise the public on how to request their information, make claims and report malpractice.
In the UK, the commission has made early statements of intent. In fact, they aim to be Europe’s largest privacy regulator by May 2018. Expect to more claims reviewed, more staff enforcing GDPR and a much greater reach as 2018 progresses.
Come what may?
At present, UK regulators can’t carry out checks on data protection at short notice, fostering a relaxed culture towards data protection. This blasé attitude will change come May when the ICO will begin knocking doors without warning. Data auditing will become the norm, as it has in Ireland for years.
Commissioner Elizabeth Denham has quelled doomsday fears, stating there won’t be attempts to make early examples of companies by issuing unbalanced fines. The fines themselves can be a staggering 4% (or €20 million) of a company’s annual turnover or 2% for lesser offences such as not having data records up to date. Denham, who has previously investigated Facebook, WhatsApp and Yahoo, added there would be no leniency on the enforcement date.
“… there will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date.”
Major changes
In the UK the ICO are expanding their scope, but this does not just apply domestically. One of the significant differences between GDPR and earlier data laws is that affects any company holding the data of an EU citizen. Regardless of what form Brexit may take, GDPR is here to stay. If your business has the data of just one EU citizen, you must comply.
Consent on behalf of the customer/employee has been simplified under GDPR. The ICO will penalise those who are seen to be intentionally misleading customers or over-complicating forms. If your terms and conditions are overly complex, be prepared to update them.
Another consequence of GDPR will be the rights to access information and to be forgotten. Subjects can request a free digital copy of their data held by an organisation. The right to be forgotten (or data erasure), allows an individual to have their data removed provided conditions are met.
On the whole, GDPR will reconstruct the culture of data management. The ‘Privacy by Design’ initiative signals modernisation, by making data privacy a primary consideration. Software manufacturers and users will be expected to prove data stored and shared safely.
React
For the past 2 years, the EU and the ICO have sent out an explicit message regarding what they expect from businesses. While there is no one size fits all solution, there are some guidelines to conform to the new standards.
Essentially, your business needs to accept you have a responsibility to those people whose data you hold. You must ensure information is obtained knowingly and used sensitively. Note the source of the data, note why you have it and ensure third-party partners are meeting these standards. What you don’t need must be disposed of carefully. A commitment to transparency will help your business thrive.
Ideally, you will appoint a data protection officer if affordable. If not then retrain staff, the short-term cost will outweigh the long-term risk. Accountability will be paramount to a successful culture change in your organisation. You are only as strong as your weakest link, and one small error could be damaging. Even if you avoid a fine, a damaged reputation could be more costly.
Lastly, if you feel you are breaching data laws or unsure of aspects of the new legislation, self-reporting is the best approach. The ICO have hinted that they will look more favourably on businesses who come forward regarding potential failures. GDPA is about transparency and improvements in data protection, not huge fines.
