For those who have been stranded on a desert island the last couple of years, the General Data Protection Regulation (GDPR) is a new regulation designed to improve the protection of European citizens by requiring organisations to expand their data protection processes. It replaces the current UK Data Protection Act ('DPA') and will come into force across all EU member states, including the UK on 25 May 2018.
The new regulation expands the definition of personal data to include additional real world types that modern organisations are now collecting as part of normal business operations. For example, IP addresses, economic, genetic, social identify, mental, cultural, etc.
The GDPR's influence expands beyond companies located within the EU to include any organisation around the world that manages data on behalf of any EU citizen.
Fines and penalties which can be imposed under GDPR have also increased - companies can be fined up to €20 million or 4% of annual turnover (i.e. revenue) from their previous financial year. These fines will be imposed on organisations that flaunt the regulations, as well as hold sensitive data. For non-conformance to the regulation or not having records of evidence in order, penalties include a fine of up to €10 million or 2% of annual turnover. Importantly, both of these fine levels are augmented by measures that allow the data subjects to seek legal and financial redress as well as the right for the ICO to restrict all or part of the processing until they are happy that any issues have been resolved.
Headline grabbing fines aside, it’s worth remembering that data protection really is more than a compliance issue. Customers care about their privacy and expect the businesses they trust their data with to respect that. It’s good business sense to demonstrate that you appreciate this cultural aspect, as well as the financial one.
The regulations (or Articles, of which there are 99) are relatively simple but can become complex when considered in an organisational context. The best advice is to not be overwhelmed by the articles at a granular level or to see the GDPR as your enemy. If you build the principles of the regulation into your organisational culture rather than being tormented by the interpretations of individual lines, they will help you manage personal data more effectively, both internally and externally.
The key high level rules of the road can be split as follows:
The GDPR only regulates the processing of Personal Data. This is defined as “any data that relates to a living individual who can be directly or indirectly identified from that data”, in particular by reference to an identifier such as name, contact details or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Does GDPR apply to my organisation?
If you collect or store any personal data on computer or a physical filing system, you will almost certainly be process that personal data, and as a result will be subject to the data protection law under the DPA and the GDPR.
Like the DPA, the GDPR effectively has two main aspects:
1) Organisational Obligations: Legal responsibilities that organisations must follow when they collect and/or process personal data. These are referred to as the Data Protection Principles in the UK. There are eight at present (click here for more details). The core principles remain largely the same, but with the addition of a new Accountability Principle, meaning that each organisation needs to demonstrate that it is complying with the Principles.
2) Individual Rights: These give the individual Data Subject whose data is being handled certain rights regarding their personal data and how it is used. This includes a right to receive a copy of their data, object to its processing, and request correction of inaccurate or erasure of obsolete.
What is the impact on business?
Those who are not already DPA compliant will undoubtedly feel the largest impact. The regulation will require businesses of all sizes to transform their policies, structure and personnel to ensure compliance whilst also being able to demonstrate this as and when required.
Data protection and security should be built into the fabric of organisations rather than farmed out or delegated to a compliance team. So while your security and compliance representatives should be very concerned with getting the detail right, every other colleague should care about and be aware of the principles, at every level and across all disciplines.
This approach has the added benefit of being a potential business differentiator if organisations are viewed by customers (and potential customers) as more responsible and empathetic on the topic of data.
What does it mean for the Data Subject?
Whilst the general public (or data subjects) may not yet be aware of the change, many will soon begin to notice differences in how businesses and organisations communicate with them. Privacy notices will be more transparent, consumer rights will be upheld and publicised, and news about data breaches will travel faster and be harder to gloss over. As a result it may seem that data is less secure after May 25, simply because the volume of related news will increase. Although this may cause more concern, it should also offer reassurances via the sizeable fines for unscrupulous and sloppy data management.
What do we do now?
Whilst not being quite as apocalyptic as some pundits suggest, GDPR compliance is undoubtedly a significant business risk and compliance issue for most firms. All data and data processing activities should be reviewed and records put in place to demonstrate compliance in light of new accountability principle.
For more information in the run-up to the GDPR coming into force next year, bookmark our insight section for more details.
Keoghs
The service you deliver is integral to the success of your business. With the right technology, we can help you to heighten your customer experience, improve underwriting performance, and streamline processes.
