In the next couple of weeks, organisations the globe will be subject to one of the biggest shake-ups in privacy regulation in recent memory with the arrival of the General Data Protection Regulations (GDPR).
The new legislation comes into effect on 25th May 2018 – two years after it was approved by the European Parliament – and there is no grace period for the public and private sectors to fall back on. The EU believes the two years it has given to get houses in order has been more than sufficient, and it is ready to come down hard on those who are not compliant.
At this point, it would be a little surprising if an organisation hadn’t heard of GDPR. There has been plenty of coverage in the business and technology press, while inboxes have been flooded by requests for individuals to consent to their information being used. After all, greater protection and control over personal information is at the heart of GDPR, and this affects everyone from the NHS to your favourite football team.
It’s easy to dismiss such doomsday scenarios as ‘project fear’, but there are serious implications for not being compliant. Which is why it’s even more surprising that so many organisations are still not ready despite the deadline inching ever closer.
It’s a lot to take in but there’s still time to get your act together. And the loophole you’re looking for? Sorry… but it probably doesn’t exist.
GDPR replaces the EU’s previous Data Protection Directive, which was designed in 1995, making it considerably outdated for today’s data intensive online world. What GDPR does is increase the rights of the individual and place extra obligations on the organisations that possess their data. Any business operating within the EU, or those processing the data of its citizens regardless of location, must be compliant with GDPR.
Organisations will have to ensure the information they possess and acquire has been done so legally, as defined by GDPR. In most cases, this will mean obtaining explicit consent from an individual in clear and understandable language. Citizens will gain the right to see what data an entity has about them and the right to demand this is in a 'commonly used and machine-readable format' so it can be used by another organisation.
Ultimately, they have the ‘right to be forgotten’, which means they can demand any data is deleted permanently.
GDPR requires any organisation handling personal data to ensure every system is built with ‘privacy by design’, meaning information is protected from cyber and physical threats and that citizens can exercise the above freedoms they are now afforded. Any data breach must be reported to the ICO within 72 hours and to the customers “without any undue delays.”
All of this should be overseen by a data controller. This might be an existing employee who takes on additional responsibilities, but larger organisations will need a dedicated Data Protection Officer. The number of vacancies for such roles has risen by 709 per cent since the regulations were agreed by parliament two years ago, according to job site Indeed.
GDPR is a piece of EU legislation, but it will still be part of UK law for the foreseeable future. Not only has it come into effect before Brexit (after all, the UK is still part of the EU for the time being), GDPR forms the basis for the UK government’s new Data Protection Bill, which is claimed will give the UK some of the “most robust” set of data laws in the world.
Even if the UK decided to relax these rules in the future, any business that handled the data of EU citizens would still have to be GDPR compliant. So, delaying implementation until the UK leaves the EU in 2019 is not an option.
It’s not just customers you will have to think about, it’s employees too. Data controllers will be required to use information only for the specific purpose for which it has been authorised, and only collect what is necessary. Retention policies should ensure any unneeded data is deleted routinely, while employees will have the same rights to demand their data is deleted or given to them in a readable format that could potentially handed to a future employer.
One of the biggest issues in HR will be the legal acquisition of data, according to law firm Taylor Wessing. Because of the imbalance in the relationship between employee and employer, it is highly unlikely that a worker will have a free choice in giving consent, and there is unlikely to be a genuine alternative to withholding permission. After all, this is hardly saying ‘no’ to a mailing list.
In this case, an alternative legal mechanism known as ‘legitimate interest’ can be used, so long as there is full transparency and the employer’s interest does not outweigh the employee’s personal freedoms.
Marketing departments have been particularly concerned about the impact of GDPR. In a sector where personal information is king and databases have been grown over a long period of time, many marketers will be worried about their databases suddenly becoming unusable.
The GDPR makes it clear that organisations must obtain consent from the user for their information to be used. This must be in plain and simple language and there must be an active action. This means no pre-ticked boxes in online forms or an assumption that silence is consent.
This explains why so many companies have been sending out email requests for consent before the May 25th deadline.
GDPR could even be an opportunity. The necessary preparation for compliance will mean you understand your data better, mean it is organised more effectively and is protected more securely. This could enable to embrace new technologies such as machine learning and artificial intelligence, or share data with third parties in a secure, responsible manner.
What’s more, if you are compliant with GDPR, you are more than likely going to be compliant with future legislation in other countries and regions as it is likely that GDPR will be the ‘gold standard’ for other regulators around the world.
While GDPR will require organisations to overhaul cultures and processes that have served them well over the years, the technology industry has been working hard to provide tools that do much of the hard work for them.
For example, using a cloud service like Microsoft Azure or Office 365 means you benefit from the compliancy features built into the platforms, while other services have retention policy settings and enterprise-grade security.
Data visibility is also improved by these services, allowing you to know where data is stored and how it is being used, rather than traditional IT systems on which data is hard to track and can be siloed.
Mobile Device Management (MDM) products can limit who has access to what information on what device. The loss of a device, such as a smartphone, doesn’t have to be catastrophic if the data is encrypted and cannot be remote wiped. If not, you could be in line for a hefty fine.
GDPR can be a daunting prospect and the clock is ticking. But there’s still enough time to ensure you aren’t caught out. Familiarise yourself with the basics, make some changes and embrace a revolution in privacy that doesn’t necessarily have to be damaging to your business.