Grab a Tea or Coffee this is a long read.
Reading Length 10-20mins (excluding beverage brewing time!)
The General Data Protection Regulation or GDPR is a legislative framework that was passed into law by the Parliament of the European Union on the 14th of April 2016 and comes into effect May 25th, 2018.
GDPR was created in response to increasing concerns around the potential for criminal exploitation of the digital footprint of individuals. Logged data that makes up our digital foot-print could be used to profile individuals for political, religious, or personal affiliation and subsequently used for malicious purposes such as identity theft, fraud and blackmail for example.
With the severe lack of oversight of this personal data, and the threat of inadequate security and privacy safeguarding from businesses and government organisations which handle personal data of European citizens the GDPR was created to address these concerns.
The primary aim of the GDPR framework is to ensure greater degrees of digital data security and personal privacy for all EU citizens and all those who do business with the EU. The GDPR is intended to ensure that online security over any personally identifiable data held by companies, governments, or non-profit organisations on individuals gets protected to a decent standard. It will also provide a higher degree of informed consent and control for individuals over the handing of their personalised by using Privacy by Design.
The General Data Protection Regulation will ensure that all EU citizens are able, after May 2018, to demand their stored data from any organisation (free of charge) and to delete their own stored data on request (subject to public interest) - known as the right to be forgotten.
Because of the privacy regulation and law, that governs data protection, differs significantly throughout the EU. The GDPR sets a unified precedent for all EU member states.
Put into context, the GDPR framework will ensure that data collected on an individual living in France for example, is not stored and used to different standards by a business operating from Spain or the UK.
The regulation is also intended to maintain “informed consent” for EU citizens when data collection is requested. This will be done through requiring organisations to go into more detail about the intended use of any sensitive personal data entrusted for storage or processing. Consent may be withdrawn as the individual sees fit at any point, at which point the stored data must be destroyed (under penalty of law if it is not).
It's also worth noting that any documentation on data storage or processing that is provided to your customers, clients, or users should be free of any language that might confuse, be overly technical, deliberately mislead, or be difficult for the average reader to understand. Some organisations must also appoint a designated Data Protection Officer or Officers, who will be able to notify the authorities of changes in the organisation’s data handling directly.
How will GDPR be enforced?
The GDPR regulation will give EU countries the ability to issue new and more robust punitive punishments to organisations that fail to safeguard or unfairly exploit or misuse our data.
Companies could be fined up to as much as 4% of their expected, annual global profit or up to 20,000,000 euros for a breach of compliance. Fines will operate on a tiered system based on severity. 20,000,000 euros is the absolute maximum penalty that can be imposed for a singular failure to comply with EU data regulation.
What must be done in the Event of a hack or leak?
Legally, all EU data controllers and data processors must notify affected individuals and member states within 72 hours of detecting an accidental or malicious data breach.
When does GDPR Enforcement Start?
Full enforcement of the articles contained within the GDPR will begin at 0:00:01 AM on 25th May 2018. Subsequently, the regulations set out in the framework will apply to all full member states within the European Union and organisations public and private therein, under penalty of law. A two year grace period has been allowed for Europe to reach full compliance, in which time no audits or prosecution can take place.
Is Britain Exempt, due to Brexit?
Brexit will not provide any exemption whatsoever from the GDPR for the vast majority of public-facing organisations located in the United Kingdom.
The British government has indicated that they will pass an equivalent measure as part of the expected Great Repeal Bill, transferring the legislation into UK law. British representatives ratified the measures themselves prior to the referendum. As with any other country, British organisations will have to provide evidence of full compliance with the framework if they wish to trade or operate within the EU whilst retaining personal data. This will also apply to any organisations holding data on EU citizens outside of the EU without any direct use (such as with data storage companies).
If you are still holding or using data concerning a single EU citizen after the deadline, regardless of their nationality, your company could be audited for non-compliance and fined. 44% of UK businesses with EU ties were recently polled by Crown Records Management as (falsely) believing themselves exempt. Don’t be a part of one of them.
How will this Affect Small or Medium-Sized Businesses?
If you run a business, the most important approach to the regulation is one of common sense. The regulation is a mostly passive piece of legislation aimed at ensuring better practice. It should not require you to change or update your hardware or data collection methods significantly. However, it may need you to update your corporate behaviour, or offer clear communication to your customers over their data and how you plan to store and use it. You should also make sure that you can easily destroy any and all customer data if so requested.
What Risks could it pose to Businesses?
The main risk posed to small and medium businesses is through punishment for non-compliance or poor execution in data processing or control, which could ultimately result in severe and damaging fines for each offence. Maintaining strict compliance when it comes to data protection and consent are the most important things to consider here. If you are going to add a new data collection system it may well be worth designing it with EU data compliance built in as policy. This could save vast amounts of time with systematic deletion and detailed documentation.
Likewise, a meticulous approach to data server security will always be a good approach for a business to take, regardless of legislation. Data breaches and leaks are often embarrassing, costly to deal with, and can severely damage the reputation of a company. This regulation will force you to disclose if you have suffered a critical hack, or receive a further charge and a fine. It is obviously best to avoid that scenario altogether, or risk taking a double hit on one setback.
To ensure full compliance with EU regulation on data protection by May 2018 your business should be able to:
- Provide full and clear information to consumers that allow for full and informed consent for data processing and storage
- Safeguard existing and any new data effectively to an industry-accepted standard of online and offline security
- Provide a high degree of control over any stored data to individuals
- Store no more sensitive data than is necessary to complete the data processing your customers have consented to and your business believes necessary
- Be able to offer and delete stored data on request to consumers, whether gathered passively or initially provided by the individual
- Offer a high degree of public transparency as to what your company actually does with the data it collects
- Comply with all existing legal statutes for lawful data processing and third-party transfer and use of data
- Have at least one designated Data Compliance Officer for your business, if appropriate
- Be prepared to notify the public and authorities rapidly in the event of a critical data breach or leak
Image courtesy of Slon Dot Pics