What is GDPR?
Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive, but this will be replaced by the new legislation. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU. The GDPR is EU's new framework for data protection laws that took 4 years to write through international consultations finished in May 2016 and enforceable from 25th May 2018. In theory, this law does not only apply to EU members, but all countries that exchange information with the EU. It has been confirmed by the British ministers that UK will be complying.
Who does it apply to?
GDPR will apply to any individual, organisation and company that is either controlling or processing personal information that can be used to identify a person, such as name, address, IP address and even things like your religious and political views, sexual orientation, medical history and more. If you are currently subject to the Data Protection Act, it is likely that you will also be subject to the GDPR.
Personal information that can be used to identify a person, such as name, address, IP address and even things like your relogious and political views, sexual orientation and more.
So what's new in GDPR?
All 99 GDPR articles outline the rights of individuals and obligations placed on organisations covered by the regulation. These include allowing people to have easier access to the data companies hold about them, a new fines structure and a clear responsibility for organisations to obtain the consent of people they collect information about. Whilst most organisation deem GDPR as a good move, small companies and startups will be struggling to go through all the formalities as no information has been passed onto them. Only 6 months remaining for the GDPR to become a reality and if you've never heard of it, you're not alone.
Serious Data Management
Companies covered by the GDPR will be more accountable for their management of people's personal information. This will include having totally new policies, data protection impact assessments and relevant procedures on how data is processed, whether it's electronic or a hard copy. There's been a number of data breaches in the last year or so. On average it takes 350 days for a company to learn they've either been hacked or they're data had leaked. It takes another 80 days for an organisation to actually find out what data has been compromised. Companies are blackmailed by hackers that demand Bitcoin payments threatening that they make all the information public. Recently, UBER confirmed that they're database has been hacked over a year ago and that they paid hackers not to release stolen information to the public.
Under GDPR, the "destruction, loss, alteration, unauthorized disclosure of, or access to" people's data has to be reported to a country's data protection regulator - in the case of the UK, the Information Commissioner's Office within 72 hours. The consequences could be detrimental to a responsible business depending on the financial, confidentiality or reputation impact.
For organisations with 250 or more employees, procedures of why people's information is being collected and processed, descriptions of the information that's held how long it's being kept for and descriptions of technical security measures in place. Companies that have "regular and systematic monitoring" of individuals at a large scale have to employ a data protection officer. This may mean hiring a new member of staff, but some organisations may already have people in this role.
Apart from all the new obligations that organisations have to meet, the GDPR also gives individuals a lot more power to access their information that is held about them. Businesses and public bodies are currently allowed to charge for information access requests made by individuals. Under GDPR this will no longer be the case. Companies will have to provide any information about an individual for free and the requests will have to be fulfilled within a month.
Individuals will be able to request that their information is erased in most situations with some exceptions that will still apply. Businesses will have to be clear why and for how long they need to keep your personal information.
Organisations that fail to comply face the power of regulators to fine them. Mishandling personal information, lack of data protection officer will lead to potentially heavy fine of up to €20,000,000 or 2% of a global turnover and in some cases up to €40,000,000 or 4% company's revenue whichever is greater. The maximum penalty issued by ICO is £500,000.