Given the recent furore over data harvesting and social media behaviour, next month’s launch of GDPR seems rather fitting. Four years in the making, the EU’s General Data Protection Regulation will come into force on May 25th. It will apply to all EU member states, including the UK. It will also introduce some fairly significant changes to data protection laws that have remained largely unchanged in Europe since 1995 when the average UK school or college contained one or two internet-connected computers at most.
Today, the average UK citizen has 3.5 internet-enabled devices. Our use of (and dependence on) the internet has seen us handing over unprecedented quantities of data to faceless online organisations. And, as the Cambridge Analytica story demonstrates, personal information hasn’t always been afforded the respect it deserves. GDPR will swing the pendulum back towards citizens by protecting and empowering their data privacy, whether they’re known to a company in a collegial or client context.
Privacy by design
GDPR’s focus on accountability presents a significant challenge for companies around the world, and particularly those in possession of customer data. Consent for data storage must be voluntary and unambiguous, and wronged parties will be able to sue for distress and redress.
These are the main changes that British businesses should be aware of:
- Although Article 30 of the new regulations claims that organisations employing fewer than 250 people are exempt, numerous caveats mean that even limited companies with one registered shareholder should ensure they’re not likely to end up breaching the rules.
- Personal data is covered if the subjects reside in the EU, even if the company is registered elsewhere. This closes a key loophole in the 1995 regulations, ensuring EU citizens are protected during and after any transaction of goods or services.
- Data can take over a hundred forms, from a name or email address to a photo or debit card details. It may even encompass a computer’s IP address and wifi network – anything that could directly or indirectly identify someone.
- Consumers may request confirmation about what personal data is held on file, how it’s being used and why a company feels the need to possess this data. Requested information has to be provided in an electronic format, free of charge.
- Building on the last point, companies can only retain data that is absolutely necessary for performing their duties. This is a process known as data minimisation, ensuring information is only used for explicitly stated purposes.
- The security of consumer data is central to the new regulations. Companies must demonstrate they have taken all reasonable steps to protect information held on file, which poses awkward questions about the ambiguities of data stored in the cloud.
- Companies have 72 hours to notify customers of a data breach that is likely to impact on their rights and freedoms. This would have prevented the Yahoo email hack of 2013 being buried for almost four years before it was finally made public.
The penalties for breaching these regulations can be as high as €20 million. That’s a punitive sum for not being able to prove that customers consented to have their data retained and processed. The days of multi-page T&Cs or pre-ticked “I agree” boxes are also over since consent for data usage must be intelligible and unambiguous. And, since this EU policy applies retrospectively, existing data has to be validated under the new rules.
Protect and survive
Despite Brexit, GDPR will effectively replace our archaic 1988 Data Protection Act. Before May 25th, British companies with more than 250 employees need to hire a data protection officer who can evaluate the EU’s new legal framework against their own databases and IT infrastructure. Compliance will vary from one company to the next, depending on everything from database security to cloud service provision. Evaluating all this is known as a Data Privacy Impact Assessment, and it is an essential tool for demonstrating compliance.
A Data Register also has to be kept, demonstrating compliance and serving as mitigation in the event of legal action for breaches. Personally identifiable information (PII) must be highlighted and given appropriate protection, particularly in terms of the new ‘right to be forgotten’ rules. And finally, potential risks to the sanctity of personal data must be identified and addressed. Ignorance is no longer an excuse.