Just a very quick and brisk overview of GDPR (General Data Protection Regulation) which is due to become enforceable on the 25th May 2018. This EU law is designed to protect the data and the privacy of individuals within the European Union. It aims to give individuals control over their data and also addresses how the data is handled and exported outside of the EU.
What is Data?
Anything relating to a person such as name, home address, phone number, bank details, social media posts, medical information, IP address, place of birth, etc…
Isn’t this pointless – we have the Data Protection Act?
The Data Protection Act (DPA) was introduced in 1995 – that is 23 years ago! A lot has changed since then, notably and specifically, computers and the internet are now an integral part of everyday life. All of our data, our information and our lives pretty much are controlled by data. We willingly enter all our details into websites and send it across the globe to be stored in some random companies database.
The DPA is ineffective as it was brought in at a time when none of this was that big an issue, it’s now outdated. GDPR does deal with this, and the recent Facebook and Cambridge Analytica incident shows that something is needed.
Additionally, GDPR covers the entire EU so that all nations have the same rules and regulations, meaning the sharing of information between them is far easier.
Who does it apply to?
It applies to any company or organisation based within the EU, that includes charities and governments. Parts of the business outside of the EU, say in the US still have to comply with this as they are handling EU citizens data.
GDPR states that individuals must consent to a business, to allow them to store and handle their data. Forms on web pages can no longer have tick boxes which say “Tick if you don’t agree to allow us to handle your data”, they must have affirmative and clear agreement. So the user must now tick to agree.
What else does GDPR offer and require?
- GDPR also gives individuals the right to request to have their data deleted at anytime if it’s not relevant anymore
- Companies with over 250 employees must have documentation detailing why people’s information is being collected and processed
- A Data Protection Officer is required by companies that have “regular and systematic monitoring” of individuals on a large scale.
- Individuals also have far greater access to their own data (seems only fair!) and will be able to request to see the data a company holds about them. In the past this would cost £10, however, this is now a free right of those within the EU.
What if a Company breaks the rules of GDPR?
There will be fines of up to 20 million Euros or 4% of the companies global annual turnover. So the consequences of a data breach is real and serious.
Companies like Yahoo, LinkedIn and Facebook have all suffered huge data breaches.
When a breach occurs, the ICO (Information Commissioner’s Office) must be told within 72 hours. They must also notify the individuals affected.
12 Step guide to preparing for GDPR – Created by the ICO, view here