It’s just under a year now until businesses are required to become compliant with the GDPR (General Data Protection Regulation). This is a directive from the European Union that deals with issues of data protection and privacy for EU citizens.
Since our world has been transformed by the development of digital technology, all organisations have been collecting increasing amounts of data about their customers and users. In today’s world, personal data is a highly valuable commodity, used in a variety of ways, sold between organisations, and the legal protection over where, how and why data is stored about them has become outdated.
In fact, for many citizens the scale and volume of personal data that’s held about them – from medical and financial records, to music and video tastes – can be a surprise. All this data can be extremely valuable if it were to fall into the wrong hands and security breaches, while relatively rare, could have far reaching ramifications.
Consumers can also fail to fully understand what can happen with their personal data if they opt in to certain communications and while laws and general practice has improved significantly over recent years, there are still unscrupulous organisations which look to harvest personal data for profit.
Therefore the GDPR regulations are the latest attempt to protect an individual’s data and aims to give control to the individual over how, why and when data held about them is stored, accessed and used and to minimise the risk of security breaches.
Key elements of GDPR
Data is collected at every turn, as businesses move their operations to digital and online, in order to save costs, gather useful data about their customers and products, and provide a better customer experience.
At the moment, the protection of that data is not well regulated, and customers are often unaware of how much data companies are collecting about them. They are also not sure what to do if they want to have their data erased, and without the GDPR, self-erasure is not necessarily an option.
Different member states within the EU have their own laws governing data protection and privacy. The GDPR will unify all legislation from the different countries to provide one set of consistent rules for everyone. New GDPR regulatory authorities based in each member country will also have significant powers to take action against companies breaching the law.
The GDPR is a long overdue update of the UK Data Protection Act which was first passed in 1995 at the onset of the internet. That first act could not have anticipated the pace of the technological change that has transformed our lives. The GDPR directive was approved on 14 April 2016 after four years of debate and revision and is coming into force on 25 May 2018.
A year to get compliant
Britain is now leaving the EU as Prime Minister Theresa May invoked Article 50 on 29 May 2017, but UK businesses must still become compliant with the GDPR.
It will take up to two years for Britain to exit the EU, and in that time the GDPR will come into force. There is also the strong possibility that the UK will keep the rules of GDPR as part of its exit negotiations.
When the GDPR is enshrined in law on 25 May 2018, companies will need to ensure they have:
- Nominated an employee to lead on their companies’ GDPR compliance
- Conducted a compliance audit of their operations
- Kept a data register to track progress towards compliance
- Classified the sensitivity of their data
- Evaluated their data collection and protection processes
- Assessed their data security policies by completing a Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA)
- Assessed and and documented their risks and processes. The creation of a road map to show how they will address and mitigate risks.
How to ensure you aren’t at risk
Visit the EU GDPR website to check the legislation coming into force. Transparency is the key principle, and ‘privacy by design’ is essential. Data protection must be included in the ongoing process of designing your systems, and not simply added on as an afterthought.
Make your consent opt-ins extremely clear for your users, make it incredibly easy for them to opt out of communications, and write in plain language.
If you’ve thoroughly audited your data collection and processes, and taken the necessary steps to comply, your risk of non-compliance should be low. Your nominated employee or external advisor should apply their knowledge and understanding of the GDPR to help your company make the necessary changes.
Note that some companies monitoring data regularly on a large scale or data that falls into a particular category (such as criminal data) will require the appointment of an official Data Protection Officer.
Even if you are not taking payment from customers when collecting their data, but are dealing with personal information, you still need to comply with the GDPR.
It’s really important to become compliant with the GDPR by 25 May 2018. If not, your business will likely face hefty fines and damage to its reputation.
The GDPR is best represented as the spirit of transparency, responsibility to protect consumer data and privacy by design. It will require in many cases organisational transformation to stop treating personal data as fair game and instead value privacy and empower the individual when it comes to his or her own data.