GDPR: The Shape Of Things To Come

A revised version of the General Data Protection Regulation framework is set to be introduced across the EU in 2018 – and it is of such importance that not even Brexit can stand in its way. Not only has the ICO stated that any company wishing to do business in the EU must comply with the regulation, but it arguably also represents a set of ‘common sense’ policies that are well overdue for adoption. So the need for GDPR is clear – but what does it involve and how will it impact us?

In general terms, the purpose of the regulation is to provide for, strengthen and unify data protection for individuals within the EU. As set out by the EU Council, the overriding objective is to give citizens back control of their personal data and to unify the regulatory environment surrounding data protection. A brief summary of what GDPR includes on the personal level would comprise the following: the right to be informed about what data is held on you, the right of restricting access of others to that data, the right to expect erasure of said data, the right to object to data collection and the right to suppress further use of data. This framework goes much further than the existing Data Protection Act.

Not only is this the biggest shake-up in EU digital law in two decades, it also acts as the natural successor to already extant measures such as Google’s ‘right to be forgotten’ and the recent trend to demand more privacy in the face of ‘the Internet’ taking more and more of our data as standard. Not only this, but the globalised business world demands standards and consistency over data security. The time is right for a shake-up of the law, but immediately this puts pressure on companies who must now ensure that they are compliant with a whole raft of new legislation.

The types of data that will now warrant extra protection under the GDPR is manifold: personal data such as emails addresses, home addresses and phone numbers to name a few, all of which must be – and more importantly must be proven to be – securely stored, not shared beyond what is absolutely necessary and available for review and contention by their subject at any time. Compared to DPA, GDPR will adopt a broader approach to the quantity of data and the quality of the protection, on the understandable basis that more security is always good security.

To operate in the GDPR environment, then, all businesses must have a comprehensive set of internal policies to govern data processes and guidance specific to departments (not just IT but all sections) in the company, as well as measures to ensure the conventional cyber security expected of companies that are responsible for personal data. Such policies are also expected to include staff training on their role in data protection law.

Full compliance is defined as the following: implementing appropriate technical/organisational measures, internal audits, maintenance of documentation, appointment of a Data Protection & Compliance Officer to ensure compliance with the legislation – in short, adopting a mindset of ‘data protection by default.’

For any company not complying, the sanctions are punishing: a fine of twenty million Euros or four percent of global turnover, whichever is the greater. It is almost certain that examples will be made in the early days of guilty parties, to scare their peers as much as to properly enforce the law, so the onus is on every company to not be one of the ‘low-hanging fruit’ which first falls foul.

Companies would be very unwise to disregard this regulation or to not to prepare a means of complying with it. Under the new regulations, the responsibility for the security of the company’s data lies with the data processor as well as the data controller, which ensures that all companies (and their associated third parties) must take responsibility for the protection and maintenance of their customers’ data.

Such a significant fine for those that do not comply, and the assured raft of bad publicity that would follow, will ensure that regulation is taken seriously even if there may be some firms who – just as there are now – do not think security worth worrying about. Although GDPR will be time consuming and potentially costly, the security it will ultimately provide will benefit all parties and – as with anything that forces companies to think more seriously about their security measures - as such as has to be seen as a long-needed forward step.