With the deadline to become compliant with the new General Data Protection Regulation (GDPR) just 12 months away, we explore what this new legislation means for businesses around the world.
The GDPR is a set of rules governing the collection, processing and most importantly, the protection of personal data originating from within the European Union. The GDPR will affect all countries that process data from within the bloc and so, despite the Brexit vote, companies within the UK will still need to become compliant should they wish to handle EU data.
The GDPR seeks to modernise outdated legislation, such as the UK’s Data Protection Act of 1998, which are completely out of touch with how most people use data online. It aims to give the user more rights and knowledge when it comes to how, when and why their data is used. It will give users the “right to be forgotten” and withdraw data from processing, as well as the “right to portability,” allowing users to obtain and reuse any data they have submitted in an easy to read format.
One of the biggest changes the GDPR will introduce is the nature of consent and breach notification policy. Data processors and controllers will now need explicit consent for all data processes undertaken. It is not enough for a user to not say “no” to a process, they need to have said “yes” to a set of clear and easy to understand permissions. Under the GDPR it will no longer be acceptable for permissions to be hidden behind obtuse language or within a product’s terms and conditions, nor will tick-boxes signifying agreement be allowed to be pre-ticked.
The requirement for explicit consent may cause issues with powerful marketing tools such as Google Analytics. Under a complimentary ePrivacy Regulation, third-party cookies, such as those that make Google Analytics function, will also require express consent from within a user’s browser, while first-party cookies, ones that originate from the website that the user is browsing, will be given exemption.
On the other side of the agreement, companies will now be held far more accountable for any data breaches that result in the loss of personal data. If a data breach occurs, companies now have 72 hours to inform the relevant supervising authority as to the nature, and potential harm of the incident. When reporting a breach, companies also need to be clear as to how they plan to protect those affected.
As well as informing the relevant authorities, companies now face a two-tier penalty scheme if they don’t comply. These fines may see companies lose up to 4% of the previous years turnover, with a minimum tier-one penalty of £17.25m. The numbers threatened by the GDPR are far greater than the UK’s current maximum fine of £500,000 under the Data Protection Act.
Keeping a Tight Ship
Once collected, data will then be strictly protected within the web of countries that are GDPR compliant. If a country does not meet the GDPR then it cannot handle data relating to EU citizens, removing any potential leaks that may have resulted from mismatched data protection policies.
The GDPR also makes “privacy by default” product and service design mandatory. In the future, security of data will need to be the first consideration during the design process of any product or service if they are to be used within the EU.
But What About Brexit?
The UK’s upcoming exit from the European Union will have little impact on whether UK companies need to abide by the GDPR or not. The UK government has already stated that they believe the new laws to be best practice for companies in the UK. Furthermore, the GDPR applies to any nation handling data originating from the EU, it does not only concern nations within the EU bloc itself and so it’s important for UK companies to be aware of these new rules.
There is a problem with this however. The Investigatory Powers Act of 2016 is in near direct violation with the GDPR due to its interception and storage of data without knowledge or consent. Digital communications through WhatsApp, Facebook, email or similar are considered confidential personal data by the GDPR’s partner legislation, the ePrivacy Regulation, and so cannot be stored without consent. There has been no word as to how these two policies will co-exist. If indeed they can.
Looking to the Future
The GDPR means a lot of change for business across the world. With all processing of data from the EU requiring GDPR compliance, no matter the location of processing, we may well see a similar set of rules become commonplace world wide. Companies in the UK especially should begin analysing their current data protection strategy, to ensure they are compliant come the introduction of the GDPR on May 25th 2018.