The EU General Data Protection Regulation (GDPR) will come immediately into force on 25th May 2018. It will be good for business. Eventually.
Some pills are bitter to swallow but they are for your own good! It sounds like Dickensian quackery put this way but in the context of GDPR, it can start to make sense.
GDPR governs the collection, purpose and storage of personal data concerning EU citizens by organisations. It affects organisations regardless of where they are located, even cloud-based operations.
Its purpose is to set up an EU-wide harmonised legal approach to data protection. At its core is the demand for the unambiguous consent of the individual for their data to be held, and the granting of new rights to secure their protection. Most affected organisations will have a lot of work ahead of them in order to comply in time.
Data protection for the digital age
In essence, the new regulation is a way of handling data protection in the digital era. Where the old EU Directive 95/46/EC had been crafted when digital was a developing art, GDPR sets out to give protection and rights to EU citizens in an age where most organisations – from public to private, from commercial to non-commercial – source and use data in wholly different ways.
The new protections and rights enshrined in GDPR demand that every affected organisation should be responding now. Even UK-based organisations not operating in the EU who may have been uncertain as to how to react with the impending exit from the EU, now have clarity on the matter. This comes in the form of the UK government’s issuance last week of its statement of intent to adopt a new data protection bill along the lines of GDPR as part of its planned reforms.
The requirements of GDPR are in essence similar to the old EU Data Protection Directive. The type of personal data covered by the old data protection rules – names, addresses, dates of birth, and so on – remain on the list. GDPR, in its pursuit of digital protection not only includes photographic and CCTV images but also online identifiers such as an IP address, certain encrypted data, and even biometric data used for security identification.
New powers for individuals…
New powers handed to individuals will enable them to demand to see any data held by organisations concerning them, for the organisation to immediately make amendments to any errors, and for the individual to have that data removed from almost any system as part of their ‘right to be forgotten’. Additionally, there is an ‘opt in’ clause where organisations seek sensitive data from individuals.
Organisations failing to comply could face a sliding scale of punishments, ranging from a simple warning, up to fines of €20m or 4% of global turnover. The right of aggrieved parties to sue for compensation could also see the rise of so-called ‘legal claims farms’, as seen in the aftermath of the UK’s PPI mis-selling scandal.
…new responsibilities for businesses
The EU has said that GDPR responsibility specifically applies to “the natural or legal person, public authority, agency or other body which, alone or jointly with others”.
This translates into either ‘controllers’ (those who make decisions on how and why personal data is processed, or ‘processors’ (those who carry out the data controller’s requirements).
Get your house in order now
The individual rights and legal framework that supports GDPR means organisations must have ready and quick access to any relevant personal data they hold. There is also a requirement for all controllers to ensure their processors are compliant, and for processors to keep records of all data processing activities for inspection on-demand by the local authorities (in the UK it will be the ICO).
In large and fragmented organisations, this may be difficult. Some businesses have said they will struggle to comply.
The fundamental requirement of GDPR compliance is thus to ensure that organisations are absolutely clear as to why they are collecting an individual’s data, have secured the right to do so, and then have the means of securely managing it, accessing and deleting it (either upon request or when it is no longer needed).
Tackling the task
For many firms, large and small, this will require a complete review of how their data is managed, including its acquisition, storage, access and distribution. In most cases, an approach from a technological, process and policy angle will be necessary. Analysis, design, implementation, operation and maintenance phases such as those suggested by IBM may be necessary to achieve this.
It will also be essential for all organisations to educate data-handling staff to know what its requirements are, and to make them fully aware of the possible impacts of infringement. Training will be essential.
Taking the positive view
GDPR is not going away; seeing it as a nuisance or threat is ultimately counterproductive. A positive view is that where systems, processes and policies align, there will be improved data-handling efficiencies across the business. Of course, enhanced efficiency and confidence in data protection in the digital age builds better relationships with customers. So GDPR isn’t so bad after all, is it…?