Do you know about GDPR? If you don’t then read on – but be warned, it involves data protection, the EU and regulation, which is probably why you have avoided reading about it in the past.
Let’s start with an example of its likely impact. TalkTalk received a record fine from the Information Commissioner’s Office (ICO) of £400,000 for the failings that led to its now notorious data breach. This is 80% of the maximum fine that the ICO can impose. Under GDPR, a similar incidence of non-compliance would expose TalkTalk to a maximum fine of over £70million. What would non-compliance mean for your organisation?
The deadline for implementation of the new EU General Data Protection Regulation (GDPR) is May 2018. This will replace the aging EU Data Protection Directive and is the first major re-write of European privacy laws in 20 years.
Now you might think that post Brexit the GDPR becomes an irrelevance? Not so, the Government has confirmed that it is committed to implementing GDPR as the UK will still be a member of the EU in 2018. Could we opt out later? No, the new rules are designed to establish a single, pan-European law for data protection, replacing the current inconsistent mix of national laws. This means that any company, regardless of whether it is established in the EU or not, will have to apply EU data protection law if it wishes to offer its services in the EU. 78% of the UK’s economy is based on services, which are usually highly dependent on the free movement of data. The UK will therefore almost certainly retain GDPR, even if it calls it something else. Plus, both the ICO and UK Government have pushed for reform of the EU law for several years as they see improvements in data protection as an important part of supporting the continuing evolution of the UK’s digital economy.
The overarching aim of the GDPR is to strengthen citizens’ data protection rights and build greater trust. The five main elements are: A “right to be forgotten”, when an individual no longer wants her/his data used, provided there are no legitimate grounds for retaining the data. Easier access to your own data, with more information on how it is used; including a ‘right to data portability’ making it easier for you to move your personal data between service providers. A ‘right to know when your data has been hacked’. A requirement to ensure data protection ‘by design’ and ‘by default’, thereby building safeguards into products and services from the earliest stage of development, establishing for example privacy-friendly default settings on social networks and mobile apps. And lastly, stronger enforcement of data protection, including fines up to 4% of global turnover, hence the potential impact on TalkTalk.
The overall idea is that data now drives commerce and that improved standards of data protection, coupled with greater trust will continue to fuel growth, create new business opportunities and help to power the expanding digital economy. It is estimated, for example, that the value of European citizens’ personal data has the potential to grow to nearly €1 trillion annually by 2020. GDPR is a key element of this strategy, replacing the current patchwork of national laws, no doubt to the chagrin of brexiteers, with a single, pan-European law for data protection. This means that companies operating in the EU will deal with one law, not 28(or 27), saving we are told an estimated €2.3 billion a year.
You need to know about GDPR, even if you don’t support its aims.