Part 1: GDPR! As simple as “Data Protection gets an ‘upgrade’”?
So you’ve never heard of GDPR? Or you assume that it won’t apply to you? Well you wouldn’t be the only one. Many people, small businesses and larger organisations alike are only now waking up to the possibility that the new GDPR regulation may affect them more than first thought. Still not sure? Read on…
A significant challenge in the information age is an ability to maintain a basic human right to privacy, a challenge that is continually tested by increased usage of technology such as big data, social media platforms and Business Intelligence. The way this information is used and processed has expanded exponentially, demanding more regulation on the protection of such data.
— Peter Hense (@peterhense) 21 June 2017
It has now been recognised by many companies that they have a responsibility to safeguard the information that they collect and store, especially since the value of such data has been exposed. In this context, personal data is highlighted “working capital” by society. Coping with this new perspective has led to regulation on data protection being extended.
The ‘Data Protection Act 1998’ is the current standard for information protection in the UK and Europe, the recent changes in the use and dynamic of data has led to a shift in perspective from subjects requiring a ‘’right to confidentiality’’ to a new and fundamental desire for a “data protection right”. This “right” drives a more pre-emptive approach to privacy. This new approach introduces a right to disposal of private data.
Introducing the new EU General Data Protection Regulation (GDPR) and its 91 Articles
GDPR legislation integrates a new requirement of consent to use data in the first place. Due to come into force as of the 25 May 2018, the directive encourages all organisations to review their approach the way in which data is managed. GDPR is a system of regulations or rules designed to enhance and standardise governance of data protection within the EU, although now globally applicable to all organisation who collect, store, use information on EU subjects.
Consistently applied, governance is extended with the addition of the requirement to document procedures and the performance of conditional risk assessments. Another inclusion is the extension of the required notification procedures in relation to data protection breaches.
— Sitecoreheroes (@sitecoreheroes) 21 June 2017
Key variations organisations must be aware of include:
a) Breach notification – A new requirement for organisations to notify data authorities of breach within 72 hours of personal data breach discovery. In the UK this is likely to be the Information Commissioner Office (ICO). Any person whose personal information has been breached may also need to be notified under the new regulations, but only if the breach poses a “high risk to their rights and freedoms”.
b) Privacy by design – has always played a part in EU data regulations. With the new regulation, it has formalised principles of minimising data collection and storage as well as gaining consent from consumers when processing data.
c) Data Protection Impact Assessments (DPIA) – Another new requirement, when certain data associated with subjects is to be processed, companies will have to first analyse the risks to their privacy.
d) Right to be forgotten – Requirement to allow consumers to request that their data be deleted has been extended within the GDPR regulation to include any data published on the web. This erasure right allows the person removal from the public view and “to be forgotten” unless an organisation can prove a legal right to retain.
e) Extra-territoriality – Any company which does not have a physical presence in the EU but in the course of trade or business requires the collection of data about EU data subjects (for example, through a web site), is still required to meet the necessities of GDPR. This will also affect online companies, whether small social media based sellers or larger e-commerce companies.
f) Fines – The penalty structure within GDPR is quite significant. Serious contraventions such as not meeting the basic principles can result in a fine of up to 4% of a company’s global revenue. Non-compliance could incur ‘lesser’ fines of up to 2% of global revenue, while not as significant the expense is rather costly.
In conclusion, if any of your current practice or business activity is governed the Data Protection Act or if your organisation falls under the new territorial range of GDPR then being aware of your where your data it is stored (including off-site, cloud, data centers), who may have access to it and whether they should be accessing it, now becomes critical to know.