Whether you were aware or not, the UK Data Protection Act has been protecting your digital identity and personal data since 1998 – a relative dinosaur in the fast-changing world of IT. However, as of April 2016, this piece of legislation has been given a two year expiration date. This is due to the emergence of its larger and scarier European cousin: the GDPR (General Data Protection Regulation).
It’s unlikely that you have not heard at least some grumblings on this subject in the past few years, but what exactly is the GDPR? And what does it mean for you and your organisation?
The GDPR started as a twinkle in the eye of the European Commission in January 2012 and has since been passed back and forth between the Commission, the Council and European Parliament for two years before finally becoming a directive in 2016. As a directive, the GDPR does not come into immediate effect; rather, it is up to the individual 28 member states to create local legislation with the same intended outcomes within two years. With the final implementation date scheduled as April 2018, the opportunity to measure its potential impact on organisations is limited.
Standing at 261 pages and with a rhetoric akin to a list of terms and conditions, the GDPR can hardly be described as a gripping read but contained within its convoluted language are just a handful of key fundamentals.
PII 2.0
The scope of personal information is much larger in the GDPR. Specifically, PII (Personal Identifiable Information) is no longer bound by attributes which only directly identify a person such as name and address. Instead there are a number of indirect attributes such as genetic, psychological, economic, cultural and social identity which in combination are now considered scope.
You can run but you can’t hide
Regardless of geographical location, organisations which sell products and services to the EU or hold EU citizen’s personal information are liable to the punishments set out in the GDPR for a breach or loss.
To tick the box or not
Clear consent to the processing of a person’s private data is provisioned in the GDPR, with clear being the operative word. In particular, inactivity can no longer be used as a method of consent. Those pesky tick boxes at the bottom of electronic forms must now be only for opting in and cannot be ticked by default.
Recruiters at the ready
All public authorities and those organisations which systematically monitor and process personal data on a large scale are now expected to appoint a DPO (Data Protection Officer). This new role will be expected to be an expert in data protection law and will, among other changes, assist with impact assessments, monitor the accessibility of personal data and supervise any changes to the processing of personal data.
Step one, report it
Remember when there was no obligation to report personal data loss? That will be no more. The GDPR specifies that unless the existence of exceptional circumstances, any data loss or breach must be reported to the data protection authority within 72 hours of the organisation becoming aware of it.
Ah forget about it
Social networks beware as one of the key changes is an individual’s right to be forgotten. Should a data subject want their data erased or should they withdraw their consent for it to be processed any longer, then the subject organisation must comply.
A pretty penny
Probably the part of the GDPR which has caused the most fanfare since its inception is the punishments that will be levied for the intentional or negligent loss of data. In the worst of cases, these are defined as being the largest of €20,000,000 or 4% of global annual turnover for the preceding financial article.
This is of course a simplified list of which can be greatly expanded, although it does highlight the impact of this directive. To consider the GDPR as an upgraded version of the data protection act is like comparing a horse and a Ferrari: both methods of transport yet incomparable due to the enormous gulf between them. The GDPR is however much more than that to both individual and organisation and is set to fundamentally alter the way we think about and interact with personal data.
The relational link between European bureaucracy and the sands of time has meant that the dismissive buried-head-in-sand approach has proven to be sufficient up to now. However, with April 2018 on the horizon, the race to alignment commences...and there are no exceptions for those who do not comply in time.
