What’s the GDPR?
In a few weeks’ time, data protection rules in Europe will be subject to some radical changes from what it is now. This is due to the final approval of the General Data Protection Regulation (GDPR) by the European Union Parliament on 14 April 2016. This regulation is a new EU framework for data protection laws which replaces the current Data Protection Directive (DPD) 95/46/EC. This may be welcomed by some since general data consumption has increased rapidly in the past decade, while data regulation laws have remained the same since 1998. The GDPR will come into effect on 25 May 2018, and amid the Brexit process; the government has confirmed that the UK’s decision to leave the EU will not alter this. The Information Commissioner’s Office (ICO) will be responsible for enforcing the regulation.
Why is this law really important?
It is likely that the question of “data” is will be on many people’s minds following the recent Facebook and Cambridge Analytica scandal. The General Data Protection Regulation Law was created to protect personal data and regulate how businesses use that data. It also aims to give control to citizens and residents over their personal data. Indeed, the recent data scandals show that big companies like Facebook, Google, Twitter, etc. do not always comply to the rules. Hence, this law is important because nowadays data is everywhere, and almost everyone has already shared some private data with a company. When the data is shared, the user doesn’t know what happens to it because it may be distributed and sold between companies, and this process could lead to issues like data leaks and lack of privacy for internet users.
What will the key changes be?
In this new regulation, there are 99 articles that deal with individuals’ rights, as well as legal obligations on businesses affected by the regulation law. One of the GDPR aims is to give more power to the users, so they can have easier access to their personal data that is held about them. This is a major change in the legislation. Under the still current 1995 Data Protection Directive individuals can find out what personal data is held about them by making a Subject Access Request (SAR). But the issue is that one has to make a written request and pay £10 to claim for each request of those data, and this could makes process complicated and expensive. The new legislation makes this claim process quicker, free of charge, and will even gives power to the user to have their personal data erased if they wish to do so.
Another major change is the fact that the ICO will have the power to impose fines on companies for non-compliance. The penalties could go up to £17 million or 4% of a firm’s turnover, which is a massive difference compared to the current £500,000 fee limit under the Data Protection Act. Such penalties could act as an incentive for companies to modify their conduct in relation to holding users’ data. However, the UK Information Commissioner, Elizabeth Denham, stresses that “this is law is not about fines. It’s about putting the consumer and citizen first”. The Commissioner also reiterates that says, “we will have the possibility of using larger fines when we are unsuccessful in getting compliance in other ways” and, “we’ve always preferred the carrot to the stick.”
The GDPR also recommends “pseudonymisation”, which is an IT security technique which enhances privacy by use it artificial identifiers or pseudonyms. This will transform personal data in a way that it will not be associated to an individual. This could help companies reduce the risk hackers stealing private data they may be holding.
This law will affect almost everyone; both large and small businesses, and is likely to change the volatility of the data sectors. If your company deals with data, ensure your business is GDPR ready.