General Data Protection Regulation (GDPR)
What is the General Data Protection Regulation (GDPR)?
"GDPR will be an agenda item for every board from now through enforcement in 2018 and beyond. And no, Brexit doesn’t change anything.” - Duncan Brown, Research Director, European Security Practice at IDC
The EU’s data protection legislation, the General Data Protection Regulation (GDPR), was adopted in April 2016 and takes effect within two years. The GDPR is intended to strengthen and unify data protection for individuals within the EU, but will also affect the UK.
It will ensure that all personal data has to be managed in a safe and secure way, has to be gathered lawfully, is only used for the purposes for which it was collected, and must be accurate and up-to-date.
What about Brexit?
Even though the UK is leaving the EU, it doesn’t change the need for UK businesses to be compliant.
The Information Commissioner’s Office (ICO) has confirmed that if the UK wants to trade with the single market our data protection standards would have to be equivalent to the EU's GDPR framework starting in 2018.
The General Data Protection Regulation (GDPR) is focused on:
Much of the GDPR is about process and the operational aspects of data protection. But some elements can only be enabled by technology, and others are made more manageable or cost effective through technology.
Companies must get prior consent from data subjects (opt in) and record that consent. Whats more, the consent must relate specifically to the purposes of why a company needs that data: companies cannot get consent for one purpose and then use the gathered personal data for another.
On top of this, consumers must be able to revoke their consent as easily as it was originally given. Many consumers today complain that it is easy to opt in to data gathering, but extremely hard to unsubscribe or opt out.
The GDPR defines personal data as "any information relating to an identified or identifiable natural person".
Personal data itself includes obvious categories (name, identification number, etc.) but also includes location data, physical and physiological information, economic and cultural data. It also relates to a person's conduct and behaviour. For example, the fact that an individual liked a particular tweet or Facebook post would constitute personal data.
It is therefore important for organisations to identify the personal data that they hold, and to treat it separately from other data held on its systems.
The GDPR mandates that anyone can request that their data is provided to them in a "structured, commonly used and machine readable format". For data held in structured forms, for example in relational databases, this should be relatively straightforward for companies to achieve.
Increasingly, however, data is held in unstructured formats. For example, data held in social media sites will be unstructured, as will data held in audio and video formats. Companies will need to be able to provide this data in a commonly used format if requested.
Companies must keep detailed records of the data they hold, as well as the details of the processing conducted on that data.
There are indications in the GDPR that good record keeping will be considered as a mitigating circumstance in the case of a data breach. This may reduce or eliminate an otherwise sizeable fine.
The maximum penalty for non-compliance is 4% of annual revenue or €20 million, whichever is the higher. This means that data protection now has a similar status, with regards to the level of fines, to anti-corruption and bribery legislation.
The other aspect of GDPR that is most impactful is the introduction of mandatory breach notifications. These force the disclosure of data breaches to the national data protection authority (DPA) and, depending on the nature and severity of the breach, also to consumers.
Failure to comply could mean not just high-level fines but reputational damage too.
Cybercrime and the GDPR
Our CEO, Ian McVicar, and Director of Technology & Services, Sean Callanan, were recently interviewed by Business Reporter to discuss the threat of cybercrime and how UK businesses can protect themselves.
The threat of cybercrime to UK businesses has been described as ‘an unprecedented threat to society’, and yet according to our research UK firms don’t see online security as a priority with 63% of companies making the decision not to invest in better online security.
This interview also touched upon the GDPR as combatting cybercrime is closely linked to how data is managed and protected, which is key to the GDPR.
The interview covers GDPR at the 4 minute mark.
How we can help
GDPR is not just about technologies: it's as much about process design and procurement. However, some elements can only be enabled or managed through technology.
We can help businesses make informed decisions and guide them towards what technology they really need to invest in to be prepared and compliant.
Call us or send us a message to speak to one of our specialists.