With a whopping 2.5 quintillion bytes of data now being produced every single day, the debate around data privacy is showing no signs of slowing down; consumers and businesses are still asking the same fundamental question – how, where and by whom is our data gathered and stored? This issue is at the heart of the upcoming EU General Data Protection Regulation (GDPR). Designed to bring more transparency and structure to data protection, it is the first major legislative change to European Data Protection law since Directive (95/46/EC) in 1995, which regulated the processing of personal data.
Despite the importance of this regulation, lots of British companies are seemingly unaware of it. This has been partially due to indecision on the part of UK businesses about whether to invest resources in achieving GDPR compliance, given the lack of clarity around the power of European directives and acts post-Brexit. However, following the UK government’s confirmation that it will implement the GDPR, despite the decision to leave the EU, businesses will need to be compliant by 25 May 2018 or face enforcement action.
In light of this, now is a good time to look at exactly what the GDPR is, what it will mean for UK businesses and how your organisation can prepare for it.
What is it?
Simply put, the GDPR is the new regulation framework to create tighter limits on the processing of personal data and give greater rights to individuals. It essentially protects the right of European residents to regain control over how their personal information is shared and used. It will apply to EU-based organisations, as well as the data processing activities of those who target EU data subjects – meaning that if your business is involved in the acquisition, use, transmission, storage, destruction and breach of personal data in any way, you will be affected, regardless of whether your business stores or processes data on EU soil.
The act contains eight principles data processors must abide by when it comes to personal data – these include provisions that data need to be processed fairly and lawfully, be obtained only for specific purposes, be accurate and kept up to date. Finally, anyone holding the data must take measures to protect it, with data not transferred to a country outside the EU unless that country also has rules in place to adequately protect it. There are also new limitations surrounding consent, as data owners must grant separate consent for different processing activities and can withdraw them at any time, or have their data erased under the GDPR. Furthermore, if a company has already made information public, then they have an obligation to pass the deletion request along to others.
It is important to note that GDPR only applies to Personably Identifiable Information (PII), which may comprise a very small percentage of an organisation’s data. However, GDPR covers a wide range of PII and can include URLs, pseudonymised data, physical data and so on. Personal details such as email, for example, may not hold PII and therefore do not need to become part of the compliance envelope.
Why you should care
As discussed, the GDPR will define how organisations can collect, use and transfer personal data. Not only will businesses need to adhere to local laws governing information retention in every market they operate in, but they also need to re-evaluate their individual business requirements and risk appetite. Failure to comply with the GDPR risks a maximum penalty of either €20 million or 4 percent of worldwide turnover (whichever is greater) – it can cost your business money, reputation, credibility and more. Equally, the first organisations to become compliant can use it as an accolade, highlighting that personal data is safe in their hands.
In addition, service providers or ‘data processors’, which were not previously subject to the more restrictive aspects of data protection legislation, will also now be affected. Organisations that use third parties will have to ensure that their data provider complies with the regulations as, in case of a breach, both data processor and data controller will be considered to have shared liability and will be penalised. Furthermore, all public authorities and organisations where core activities involve ‘regular and systematic monitoring of data subjects on a large scale’ or large-scale processing of ‘special categories of personal data’ will be required to employ a dedicated Data Protection Officer.
Always be prepared
Ahead of the GDPR, it is very likely that most businesses will need to overhaul their framework to ensure compliance and that they are aware of what data they hold, why they hold it, where it’s kept and how long it should be kept for. They will also need to re-think what data is actually needed to manage business and employment relationships.
Organisations will be required to build a transparency framework that re-thinks how they engage with individuals, from contracting and permissions processes to providing clear and comprehensive information on how they handle personal data. The next step is to review contracts with third parties, and include a right of audit in their contracts. As part of this process, there is a huge education element involved. Regular data protection training will of course be required and will have to be extended to contractors and other third parties.
Becoming GDPR compliant will no doubt be a long and laborious task, but will also be a significant achievement, and potentially one of the screening criteria for tenders in the future. Let’s not forget that all businesses handling personal data will be required by law to become GDPR compliant by 25 May 2018, so it’s crucial to start planning and revisiting your data strategy today.