From May 2018, the EU General Data Protection Regulation (GDPR) will affect every organisation that handles the personal information of every EU resident. It is by far the biggest overhaul in data protection law in 20 years. Drafted by the European Commission, the aim of the new regulation is to give individuals more control over how their personal information used by the organisations that store it while standardising and simplifying the data protection rules across all 28 EU member states. The EU is hoping to strengthen data protection and privacy standards significantly and introduce tougher measures to enforce its requirements to build trust in a rapidly growing digital world.
Currently, the United Kingdom conforms with the Data Protection Act 1998 but this will be superseded by the new, forthcoming EU legislation which carries significantly tougher sanctions for non-compliance and privacy breaches than ever before. Unlike previous directives, GDPR doesn’t require the UK Government to draw up any legislation and pass it through Parliament as the new EU regulation will automatically be enforced to all EU member states on 26th May 2018. Once the new legislation comes into effect, organisations must ensure they handle and protect personal data in a lawful and transparent manner that immediately complies with the new terms of the regulation.
There are a number of important principles that organisations need to be aware of as a result of the new legislation. For example, personal data should only be stored by an organisation for a specific purpose, and once that purpose has been fulfilled the data should be destroyed once it is no longer required. Also, there is a greater focus on ensuring organisations gain the consent of users to collect information and maintain privacy of that data. While there are some similarities to the UK’s Data Protection Act, GDPR is a lot more stringent and considerably more complex than previous directives – this presents an immediate challenge for consideration by all UK businesses and organisations to make sure they understand the impact the new regulations may have on them.
What are the key changes introduced by GDPR?
The new regulation will introduce a number of key changes from previous regulations and directives from the onset (find out more). Some of the significant changes include;
- An increased territorial scope – even if your business is not based in the EU, you will still need to comply with the new regulation if your business holds any information about EU residents.
- Clear and affirmative consent must be given by the data subject to process their personal data, and it must be possible to withdraw consent easily.
- Parental consent must be recorded for processing the personal data for children under the age of 16, although some Member States may lower this to 13.
- The ‘right to erasure’ (also known as the ‘right to be forgotten’) has been introduced to allow individuals to have their personal data erased in specific circumstances, primarily when there is no compelling reason for it to be kept.
- The definition of personal data is now much wider and broader than previous regulations with a larger number of factors. Organisations should adopt measures to reduce the amount of personal information they store and ensure they do not store data that is not necessary.
- Privacy Impact Assessments (PIA) need to be conducted on a regular basis to minimise the risk of data breaches to protect the personal information of data subjects.
- Organisations will be required to report any data breaches to their Data Protection Authority (the ICO in the United Kingdom) within 72 hours.
- In certain circumstances, organisations must appoint and designate a Data Protection Officer (DPO) with expert knowledge of data protection law and practices.
While not a new concept, GDPR adopts the approach of ‘privacy by design’ that promotes building privacy into business systems and operational processes from the start. It is now a mandated legal requirement outlined by the new regulation to ensure that privacy is taken into account throughout the technical design and engineering lifecycle. GDPR also adopts the principle of ‘privacy by default’ to ensure appropriate measures are implemented to protect personal data and reduce risk. These two principles alone represent the continued evolution of data protection legislation as it emphasises the need for more proactive mechanisms and controls to protect and secure the personal information of EU residents.
One noteworthy change to the new regulation that effects everyone is that the definition of ‘personal data’ has been expended significantly by GDPR so that it covers a larger number of identifiers to reflect the greater volume of information that organisations collect today. For example, a person’s IP address is now considered to be personally identifiable information (PII) along with a number of other social, cultural and economic information. This information should only be captured and stored by an organisation if it is required for a specific and demonstrable purpose. Once that purpose has been fulfilled, the information (or PII) should then be erased by the organisation as a matter of course to ensure that a person’s information is not stored unnecessarily. Coupled with the new ‘right to erasure’, this presents an immediate technical challenge that will require sophisticated information management systems to manage data effectively and securely under the new rules.
What does GDPR mean for UK businesses today?
With little over a year remaining for European organisations to be fully compliant, GDPR presents an immediate challenge for most businesses in the United Kingdom. The new requirements will mean that most organisations will need to drastically change the way they handle, process and store the data of its customers and users. In most cases, this will require organisations to make significant investment in updating existing systems, re-engineering existing operational processes and training people to be fully compliant with GDPR’s requirements and rules. Having spoken to a number of organisations over the past few months, the new regulations have left a lot of business leaders and decision-makers extremely confused and concerned by the changes. The major challenge is making sure businesses implement the changes necessary to become compliant before the enforcement date – is it too much, too soon for UK organisations?
A recent study conducted by security form Symantec in October 2016 reveals that out of the 900 European companies surveyed – 96% of them do not fully understand GDPR and that 9 out of 10 have concerns about their ability to become compliant ahead of May 2018. This highlights the fact that many businesses are simply unprepared for GDPR and the potential impact it will have, raising a question mark as to how the wider UK business community will become compliant by the deadline.
The consequences of non-compliance or any breach in data privacy are now much more significant than previous regulations and directives. The upper limit penalty that can be imposed by a Data Protection Authority (DPA) is now up to €20 million or 4% of annual global turnover (whichever is greater). The impact to organisations for non-compliance is now much more significant and will soon be very real.
Does Britain’s exit from the EU effect GDPR?
Essentially, no – it doesn’t. Even Britain’s impending exit from the European Union does not affect GDPR’s arrival, as many UK organisations will still handle and maintain personal data on EU residents. The UK Government has confirmed that the UK’s decision to exit the EU will not affect the commencement of GDPR. The new regulation will come into force before Britain’s exit from the EU is finalised and executed. Therefore, the new rules will still apply and compliance with the regulation must be maintained by UK organisations irrespective of when the terms of Britain’s departure from the EU is agreed and confirmed. So, it is imperative that UK organisations start to recognise and address the needs of GDPR now.
How can Prodera Group help your business?
Preparing for GDPR is no easy task. At the very least, it is important that organisations assess their current position and identify any gaps or areas of non-compliance in their existing processes and systems. Only then is it possible to conduct a formal impact and readiness assessment that will give the business a detailed picture of what action needs to be taken. This is where Prodera Group can help by drawing on the in-house expertise of engineering information management systems for a range of industries and extensive knowledge in information security. We can help our clients develop a comprehensive strategy to address the technical and operational challenges of GDPR to be compliant by May 2018.
For more information, please read the Official Journal of the European Union – Regulation (EU) 2016/679 or visit the ICO’s dedicated webpages on Data Protection Reform.