I’ve got a personal question to ask you.
Ever clicked accept without reading the terms and conditions on a website, or entered your personal information without reading the disclosure of how the information would be used or shared? It is not my intention to reprimand you or make you feel guilty, we all do it, but the risk and implications of what can occur when our data and sensitive information is shared can be disastrous. It’s called personal information for a reason, it’s personal, and yet we all seem so at ease to provide our data on a daily basis with businesses we have no personal relationship with and no history of trust.
If we consider for a moment the details we share; our address, credit card information and personal preferences. How would it feel to know your information was mismanaged or disseminated, let alone managed to find its way into the wrong hands?
In April 2016, the European Parliament made the decision that companies who retained personal details of their customers would need to be responsible for how it is stored and most importantly, made secure. Pretty clever thinking really, and thus the GDPR was formed.
GDPR stands for General Data Protection Regulation and will be the new process for data handling and managing privacy.
In an interview with the Financial Times, the UK’s information commissioner Elizabeth Denham commented, “It underlies everything we do, in our personal lives, as consumers, as well as policing and law enforcement, criminal justice, everything relies on data. That’s why this is such a critical issue at a critical time.”
The GDPR is now recognised as law across the European Union with the Member States needing to ensure the requirements are fully implemented within their respective countries by May 2018.
To put it simply, it’s purpose is to put guidelines in place as to how data is treated and secured. It is also designed to provide greater transparency for consumers and subjects who provide their data to companies regarding how it is to be both used and stored; and to give a greater sense of ownership of our personal information should we wish to view it, remove it or update it. That is the short version. To expand on this, check out the below.
What does GDPR involve?
There are seven key elements that form as part of this process, including.
1. Consent and understanding
Companies can no longer confuse customers with fancy legal jargon and terms that any poor human without a law degree is unable to decipher. Equally, customers need to be able to both give and withdraw their consent.
2. Breach notification
Internal data controllers are responsible for notifying their customers of any potential risk or security breach within 72 hours of it initially occurring.
3. Right to access
Any business that holds your data is required to provide you with a free electronic copy of what details are being stored and how it is being processed.
4. Right to be forgotten
Should the use of your personal data no longer be relevant to a company you have been dealing with; you have the right to request that they erase it.
5. Data portability
Enables individuals the right to request their personal data and have it supplied, to be used for their own purposes.
6. Data protection by design
It will be a necessity for businesses when establishing new processes, procedures and technical systems to implement the required data protection measures.
7. Data protection officers (DPO)
Organisations that process personal or sensitive data on an ongoing and systematic basis will be required to appoint a qualified expert in data protection law and practices to effectively monitor, advise and enforce the obligations of the GDPR.
What forms of data does GDPR protect?
When most of us think about our digital footprint and the data that may be of interest to businesses or potential fraudsters we immediately go to where we live, credit card details and personal ID. However, the data that is collected about you is actually more in-depth, just take a look below, do any of these come as a surprise?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
When does GDPR come into effect?
The new regulations will come into effect and will be enforced from May 25, 2018. Mark it in your diary.
Who does it apply to?
GDPR applies to everyone who is involved in selling goods or services, collecting or processing data to anyone who resides within the European Union. This also applies to any organization, anywhere in the world that collects or processes data on European Union residencies.
What happens if I choose not to comply?
Take a deep breath before reading the following. The repercussions for non-compliance are significant, and the fines are hefty. Financial penalties can equate to up to 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year. If we hadn’t already made the message clear in the above, this is serious.
Who should be responsible?
Data controllers are not only responsible for how their internal business groups maintain and process information, companies are also responsible for any external contractors that perform any part of a function relating to processing or managing data to ensure they comply with the requirements of the GDPR.
To end on a positive, you can breathe a sigh of relief as thankfully, the GDPR regulations are consistent across all twenty-eight member states of the EU. We were going to trick you but thought that could be cruel. So if your goal for the start of 2018 was to use that gym membership or use less plastic, I think we’ve just found your new top contender. Get ready for GDPR.
We hope you found this blog post of value and we genuinely welcome your feedback. You can send us your comments via the content box below. We love hearing your thoughts and suggestions, and both read and respond to them all.