The GDPR (General Data Protection Regulation) is a buzzword in the legal sector at the moment. The legislation comes into force in May 2018. You’ve probably already heard about the potential sanctions for companies which do not comply with the legislation – fines of up to four per cent of worldwide annual turnover, or €20m, whichever is greater!!
It might all just seem like a huge and unnecessary compliance burden. But do you know why the changes are being made, and how they will benefit individuals – including you?
Why are the changes being made and how do individuals benefit?
Since 1995, when the Data Protection Directive became law, there has been a massive adoption of the internet and social media, and of technology such as smartphones and tablets. Businesses, meanwhile, are using ever more sophisticated processes to analyse and track individuals’ online behaviour to increase the effectiveness of their marketing activities and drive sales. Many practices are so complex and/or opaque that the average person may struggle to fully understand how their personal information is being used, let alone be able to control businesses’ use of it.
Data protection legislation is now over 20 years behind this trend. It needs to be updated to take account of the major changes in how we share our own data and how businesses use it.
Rather than being simply pointless European red tape, the GDPR aims to redress the balance in favour of the individual, by enshrining the protection of personal data as a fundamental human right.
If the European Commission fulfils its ambition, in the coming years we are likely to see a seismic shift as the use of personal information becomes a highly regulated activity.
What do Organisations need to do about it?
1. Learn the basics
If you are responsible for your organisation’s compliance, and starting from zero, it is essential to gain at least a high level understanding of the GDPR, its scope and its requirements. A crucial starting point is to understand the key concepts and principles. The ICO provides a wealth of information on its website.
2. Set the tone from the top
A compliance program that is not supported and adequately resourced by the organisation’s highest level of management is doomed to failure. Your organisation’s management must be aware of the implications of the GDPR, invest in the appropriate resources necessary to enable compliance, and set the appropriate ‘tone from the top’.
3. Identify your data
Organisations must be able to identify the personal information they hold about their employees, customers and suppliers, and how it is used, including the systems in which it is stored. The level of risk will depend on the nature of the business, for example, a private clinic is likely to hold a large volume of sensitive information about individuals, while a wholesale manufacturer may only hold limited contact details for a relatively small number of business customers.
4. Check your use of data is compliant
There is a lot of misinformation in circulation concerning the requirement for consent. The GDPR imposes stringent requirements upon organisations when they rely on consent in order to process individuals’ information. However, consent is not the only legal ground for processing. There are many others. As well as establishing a legal basis for using personal information, organisations must also ensure that their use is in line with the other principles of the GDPR, such as data minimisation, storage limitation, and use in accordance with individuals’ rights.
These steps will set the ball rolling on what for many organisations is likely to be a long journey. As data protection escalates in significance to a highly regulated activity, it is a very important exercise, and with less than a year before the GDPR takes effect, a very urgent one.
James Castro-Edwards new book EU General Data Protection Regulation A Guide To The New Law is an interesting read in that regard. It explains the key concepts and their practical application, with comparisons against the Data Protection Directive and incorporates applicable European guidance.