In the past few months, the amount of literature on GDPR has been increasing rapidly. Discussing the topic internally or externally, people do not know whether it is good or bad for business, nor do they understand the ramifications of these changes. Here is my point of view. Forget whether it is good or not for your business, the bottom line is that it is good for the customers. If you are a customer centric business like mine then you will welcome it with open arms. Of course, there will be painful conversations ahead, and people must remain pragmatic and make these changes bit by bit rather than all at once. Therefore if you read this post, crack on with it as it will come into play on the 25th May 2018.
Back in the day, around 1995, the Data Protection Directive 95/46/EC [DPD] was introduced. This legislation was the first of its kind at the time and it replaced some old school legislation that was out of date and allowed for all the new data legislation to be in one place. The legislation provided a detailed framework for data processing but now, 21 years later, the DPA has become significantly out of date!
Now, 21 years is a long time and you can do 7 undergraduate degrees within that time. So it is no wonder that within that period, the use of computers and the data this use creates has changed considerably, which, unfortunately, also means that the threat of cyber crime and subsequent data misuse has also increased.
Not only has technology changed immensely (and continues to do so), but the reliance on paper records has diminished. Funnily enough, floppy disks are no longer used (remember those!) and there are now a vast amount of storage options, as well as the mass use of social and professional media and the ongoing creation of Big Data, resulting in huge chasms in the 1995 legislation.
Some users have become somewhat paranoid and alert to the dangers of the growing risks and importance of data protection, being the savvy lot that they can be, however, the majority of everyday users (business or social) are still catching up to basic security measures.
A survey undertaken by the EU revealed that 74% of Europeans see disclosing personal information as an increasing part of modern life. But why are people giving away their personal information?
It seems that the most important reason to disclose this information is to access an online service. The most interesting result in this survey is the fact that 26% of social network users and 18% of online shoppers felt out of control of their own data.
What does the General Data Protection Regulation (GDPR) cover?
The legislation named the General Data Protection Regulation or GDPR, includes options such as the ‘right to be forgotten’, new rules on data transfers outside the EU, the implementation of data breach notification requirements and the introduction of much higher fines that are based on the percentage of a company’s annual turnover.
The ICO (Information Commissioner’s Office) explains that under the GDPR, the data protection principles set out the main responsibilities for organisations.
Click here for full access to the ICO website.
The principles are similar to those in the DPA, with added detail at certain points and a new accountability requirement. The most significant addition is the accountability principle. The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity.
Key principles of GDPR:
The GDPR covers all data controllers and data subjects based in the EU. It also applies to organizations based outside the EU that process the personal data of its residents.
According to the EC, the definition of personal data covers anything that points to their professional or personal life, including names, photos, emails IDs, bank details, social networking posts, medical information, or computer IP address.
There will be a Single Data Protection Authority (DPA) assigned to each company depending on where the company is located who will report to the European Data Protection Board. They must be appointed for all public authorities and companies processing more than 5000 data subjects within 12 months.
Although previous data processing notice requirements remain intact, they must also specify the retention time for personal data and provide their contact information to customers. The Privacy by Design and Privacy by Default clauses in Article 23 mandate that data protection protocols must be integrated into the business development process itself. All privacy settings must be set to high by default.
Data Protection Impact Assessments (Article 33) have to be conducted when specific risks occur to the rights and freedoms of data subjects.
Proof of Consent
Article 7 and Article 8 specify that data controllers must possess a valid proof of consent for processing data and acquire special permissions for collecting the data of children under 13 from their legal guardians.
Instant Breach Alerts
Article 32 says that any case of data breach must be reported to the DPA by the controller within 72 hours of discovering the issue so that all parties involved can be warned about the situation and take precautionary measures.
Instances of first unintentional cases of non-compliance will be doled out written warnings by the DPA. As a result, organisations will also be directed to conduct regular data protection audits. In case of graver offences, organisations may have to cough up a deadly fine up to 1,000,000 EUR or up to 2% of the annual worldwide turnover in case of an enterprise, whichever is greater (Article 79).
Right to Erasure
Article 17 empowers data subjects by giving them the right to request removal of personal data related to them on any one of a number of grounds, including cases where the fundamental rights of the data subject take precedence over the data controller’s interests and require protection.
Portability of Data
According to Article 15, users will also be allowed to request a copy of personal data being processed so that they have the freedom to transmit it to another processing system if needed.
On-premise private cloud solutions such as FileCloud help organisations to keep their data in servers within their firewall, while providing all the flexibility and access advantages of public cloud such as Dropbox. Additionally, FileCloud’s unique capabilities to comply with EU regulations, and features to monitor, prevent, and fix any data leakage across devices (Laptops, Desktops, Smartphones and Tablets).
What should you do if you want to transfer data now?
It has been advised that in this pre-GDPR time, that it is better to just avoid transferring data altogether, even though alternatives have been set out by the EU. A number of solutions have been made available to help with the problem of transfer, such as mobile e-discovery technology, predictive coding technology or e-discovery platforms and predictive coding, which can be used to ensure that relevant data is found quickly and deleted.
Transferring data across the pond looks to remain a complex legal process until the GDPR and Privacy Shield are fully confirmed and in place.
However, the legislations are not concrete and may still change, even after going live. Even more so in the light of Brexit, how will the UK adhere to the GDPR and its new shiny facets? Most people say that it won’t change but let’s wait for the Great Repeal Bill.
With the vast amount of alternatives that are available, it should not be difficult to find solutions to processing essential data during this time of uncertainty and it will hopefully be a progression for all internet/data/app users feeling secure that their data is secure!
Should you love it or loath it?
Love it, of course. As Anders Hilmansson puts it, there is quite a lot in it for you! If you comply with the GDPR adequately and effectively, you’ll have the possibility to achieve breakout performance compared to your competitors, owing to you having a competitive advantage. You’ll have what the Boston Consulting Group calls the “Trust Advantage” (MUST READ this paper): meaning that your consumers will entrust you with more data (compared to your competitors), which will lead to better online recommendations, more accurate targeting, faster development of new products and services, and several other benefits to you and your customers.
In light of the above – and taking into consideration that the value of Europe’s personal data is estimated to grow to nearly 1 trillion euros annually by 2020 – the GDPR isn’t a burden: it means business. (Even if most people currently preaching about the GDPR are keeping this a secret.)
Hope that clarifies it and helps put a bit of perspective