The GDPR is important for organisations AND individuals
It seems there is rarely a day when you don’t hear of some type of cybercrime where data or other intellectual property has been compromised to benefit a third party, often to the detriment of the owner – for many organisations, data is arguably the most valuable commodity they have and so a significant amount of time, money and effort is spent in protecting it. This is also why governments around the World, who are rightly concerned about the use of data relating to its citizens, have introduced laws that force such data to be treated with appropriate care.
For those of us living in Europe the law in force has been the 1995 Data Protection Directive (DPD) which governs how organisations can collect, use and share personal information however time and technology has moved on significantly since then. The relentless move to the Cloud and prevalence of Big Data and analytics driven in no small part by social media and the economic need to drive ever more value and opportunity from these connections has meant that this law needed a refresh.
So what is the GDPR?
The new law, fully coming into effect in 2018, is called the General Data Protection Regulation (GDPR) and brings a new set of requirements for ANY organisation worldwide that provides or seeks to provide goods or services to European citizens or uses or monitors their personal data. It also has a formidable set of teeth – those organisations falling foul of this law can expect an administrative fine of up to 2-5% of ANNUAL worldwide turnover (for the previous year) and an Enforcement Notice to stop processing customer data rather than the existing maximum fine of £500,000 which is certainly enough to make shareholders take notice and ensure board level attention.
If the potential cost and impact of non-compliance wasn’t enough to make organisations act, the number of ways and ease of becoming non-compliant certainly will – for example, whereas it was OK to use negative opt-in for marketing consent (“click here if you don’t want to be signed up to these newsletters”) it will now require consent to be explicit with added modifiers such as time limits, opportunities to opt out of profiling and the ability to object to any profiling.
Also, the burden of proof to show consent was either given or not required will sit at the desk of the organisation’s Data Controller who could be fined for any one of the 28 Administrative breaches contained in the GDPR or indeed personal data breaches which now need only cause “distress” to a person rather than actual harm or financial loss which makes this a top consideration when reviewing and updating business continuity within the organisation.
As well as the collection of data there are further changes around the way it is stored and used, as well as methods and timescales for reporting breaches – the next instalment will cover these but in the meantime you can see the full text HERE