We’ve all heard the term GDPR, and have become used to having to add an extra click when accessing a new website. However, the actual nuts and bolts of GDPR are notoriously vague.
So, what is it, and what does compliance mean for you?
Background
Until 28th May 2018, personal information was something of a grey area when it came to privacy. In the early days of the Internet, the Data Protection Directive (1995) offered basic guidelines. However, nobody in the 1990s could have forseen the way that the value of data would grow, and how this growth could allow strangers a direct window into our personal worlds.
Companies now rely upon monitoring and sharing information. The General Data Protection Regulation (GDPR) aims to ensure that this information is handled responsibly.
What exactly is GDPR
It’s a “step change”, according to Information Commissioner Elizabeth Denham, who gives regular speeches on the issue.
In other words, it’s a work in progress.
The primary aim of the EU’s GDPR initiative has been to bring various different acts and policies into line. In theory, this should make the rules simpler for everyone to understand.
This act of harmonization has resulted in widespread changes for everyone, whether you’re a business owner or an Internet user.
In the UK, which is poised upon the brink of a messy Brexit, the Data Protection Act (DPA) (2018) covers the UK interpretation of the EU’s GDPR.
Neither the EU’s directive nor the UK’s Data Protection Act (2018) is considered to be fool-proof. Rather, they are interim measures in a complex and evolutionary process.
Am I affected?
Yes.
Whether you’re an individual, a start-up, a SME, or a multi-national, the DPA and GDPR will have some influence on your handling of personal data.
There are thee important key terms. A data controller is someone who decides how personal data will be used. A data processor is the person who then processes that data. Processing is the legal term that refers to anything to do with data, whether that is collecting, recording, storing, or sharing.
The main data that this refers to is personal data. This includes your name, address, date of birth, and anything else that might be used to identify you. It’s also referred to as ‘sensitive information’.
Individual data protection is covered under eight specific rights, which are outlined and explained here.
The other 91 elements of the GDPR refer to how organisations, businesses, and charities must respect those individual rights.
So, this means accountability and compliance?
GDPR is an initiative that is fundamentally rooted in accountability and compliance. It makes organisations active players in the mission to protect user data, meaning that companies can no longer do what Uber did and keep massive data breaches secret.
Uber took a year to finally confess. Under the new GDPR rules, companies have just 72 hours.
Moreover, the larger an organisation, the higher the GDPR stakes. If a company has more than 250 employees, GDPR becomes a question of visibility and transparency, with GDPR compliance becoming something that is formally monitored. Many companies are now employing data protection officers to ensure that this happens in a way that is legal.
The aim of this is to prevent massive data breaches. This, in theory, should restore consumer confidence.
Accessing data
Of the eight clauses relating to individual rights, one regards accessing personal data. We saw an early precursor of this in the form of the ‘right to be forgotten’, a legal case that Google famously lost. The ‘right to be forgotten’ debacle brought into question the ethics of automatic digital footprints.
After all, some of us like to take our shoes off at the door, so to speak.
Under GDPR, Subject Access Requests (SARs) are now a right. If an organisation is issued with a SAR, they have to offer all of the information that they have about that individual, and may lead so some requests for information to be erased.
This is why people now have to tick an ‘I consent’ box when they visit a website.
Fines
The way that GDPR is enforced is through penalties, and specifically through fines.
There is a long history of this in the realm of data protection. Equifax was recently fined £500,000 for a 2017 security breach under the previous data protection laws. Even though the company is based in the US, it was still found to have legal responsibility for the data protection of its UK users.
GDPR fines are set to be vastly higher. They are likely to be “10 million pounds or 2% of annual global turnover, and up to 20 million pounds or 4% of annual global turnover”.
This has yet to be put to the test in such a dramatic way. However, the Forbes article points out that Yahoo could have been fined up to $160 million for its 2012 data breach, so the implications are not to be taken lightly.
Denham is keen to stress that the Information Commissioner’s office doesn’t want to scaremonger. However, the powers granted to them by the EU are formidable.
So… what do I do?
Many people are hiring a data protection officer. Since the launch of GDPR, there has been a flurry of courses to train people in the legal technicalities. However, you can also start by accessing the Information Commissioner’s guide, (or, if you want to really know your stuff, access the full EU document).
The general advise is: don’t panic. However, do be careful, and do take the time to engage in a little homework in order ensure that you don’t inadvertently fall foul of the new laws.
