Articles abound within the IT press on the need to prepare for the EU’s new General Data Protection Regulation (GDPR) which comes into effect on 25 May 2018. Key questions are “What is it all about, and why are people getting so excitable about it?”, and I shall try to address these here.
The current Data Protection rules date from 1995, a time when the Internet was quite new, relatively few people had computers at home, smart phones, Google, social media, ‘the cloud,’ etc. hadn’t been invented, Apple appeared to be in decline and Microsoft released “Windows 95”. With all the subsequent changes, battles with global IT corporations and with other countries about data protection, and a desire better to protect its citizens’ privacy, the EU produced the new regulation in 2016 and allowed two years for it to be implemented.
In simplest terms, the regulation focuses on two key aims:
- requiring management to recognise what personal data its organisation needs and holds, and how it uses and protects that data,
- giving individuals enhanced rights relating to their personal data which is held by organisations.
The GDPR document has 99 articles in it, so you’ll appreciate that summary is succinct, and preparing your organisation to comply with the regulation will take some planning and commitment – hence the excitement amongst those who have looked at what will be needed, and started to think though the implementation process.
There is no doubt that time is the critical factor, and some cost is inevitable. With 14 months in which to prepare, the most urgent task is for company boards and senior managers to understand what will be required of them – they carry the responsibility, and the whopping penalties for infringement of the regulations are intended to emphasise this responsibility. Larger organisations are required formally to appoint a Data Protection Officer, which may take some time. All organisations will need to review in detail what data they hold, whether they need and have obtained and recorded appropriate consent to hold it, how they will delete or transfer it, how they will report on their data processing, and much more.
The UK’s regulator, The Information Commissioner’s Office, recommends that businesses should invest in meeting new data protection regulations to drive real business benefits. Information Commissioner Elizabeth Denham prefers carrot to stick and says: “Get data protection right, and you can see a real business benefit,” indicating that those who can demonstrate their respect for personal data are likely to attract more customers. She also said that the ICO’s most recent survey found 75% of customers now don’t trust companies with their personal information. “I found that stunning and shocking.”
Anyone hoping that Brexit may brush aside the need for compliance will be disappointed. Apart from needing to abide by the regulations if you hold personal data about any person in the EU, the minister of state for digital and culture, Matt Hancock MP, speaking to the EU Home Affairs Sub-Committee on 1 February 2017 suggested that, because the UK will have adopted GDPR by the time Brexit takes place, any replacement legislation will be based on the EU’s, rather than trying to force the EU to accommodate UK legislation drafted from scratch. He said the UK’s priority was “to secure the unhindered flow of data between the UK and the EU post-Brexit” and described the GDPR as “a good piece of legislation in and of itself.”
Looking more particularly at small and medium enterprises, those that have understood fully the current Data Protection Act with its eight principles, and are conscious of the state of their IT systems and security will not find the change to GDPR too onerous. Others have some catching up to do.
For more information please get in touch.