What is the GDPR and why should you care? Getting to know Privacy Law and the new Regulations.

In the first of our GDPR series, we begin by looking at why it’s here, what it is and why it’s important.

Why protect personal data? “Data is the new oil!” has become the rallying cry of this century’s barons of commerce. This slogan of our times has adorned countless articles in print media, formed the basis of TED Talks and is probably emblazoned on Mark Zuckerberg’s pyjamas. But the comparison is fair as, much like its predecessor, data has lubricated the explosion of the modern digital economy. So much so that the five most valuable companies in the world (Apple, Amazon, Facebook, Microsoft and Google) all share the same common DNA as skilled practitioners of turning data into a rich, profitable commodity.

Much as oil was, once upon a time, just bits of dead vegetation and dinosaurs, personal information was also an untapped resource, which had yet to be realised and refined from its natural state. To labour an already tired analogy, oil and data are both far less of a risk when they are not being mined and refined for commercial purposes and the potential for abuse has been acknowledged for some time

The right to respect for one’s “private and family life, his home and correspondences” was enshrined shortly after the Second World War in Article 8 of the European Convention for Human Rights in 1950. But the potential for the processing of personal data to infringe upon these rights was becoming apparent in the 1960’s and 70’s as computers developed from room sized, highly complex, behemoths into accessible and indispensable tools of industry. By the time Sony released their first 3 ½ inch floppy Disk (packing a whopping 400KB of portable storage space) the Council of Europe had met to sign the “Convention for the Protection of individuals with regard to the automatic processing of personal data (Convention 108)” in 1981. This created the blueprint for the start of formal data protection legislation across Europe.

Why now? To help us understand the need for new data protection laws, it’s worth considering that the current Data Protection Act 1998 is derived from a 1995 EU Directive (95/46/EC), which was drafted back in a time when buying a share of Apple stock would get you change from a £1 coin and Google was just a twinkle in Sergey Brin’s eye. Since that time, the ways in which businesses collect, store, and utilise personal information have been transformed.

In an attempt to bring the growing volume of different data protection laws under one banner, the European Commission issued a draft of the General Data Protection Regulations (GDPR) in January 2012. The decision to initiate this upheaval via a Regulation (which unlike its Directive predecessors would be immediately enforceable in member states without further legislation) was a reflection of the importance that data protection had garnered over the intervening years since the 1995 Directive. The resulting Regulation was dubbed “The most lobbied legislation ever” and emerged battered and bruised to be adopted by the EU in its current form on 27th April 2016. After a two-year transition period, the GDPR will become enforceable across the entirety of the EU from 25th May 2018.

The results of the EU membership referendum in June 2016, briefly allowed the cat to be launched amongst the pigeons as to whether the UK would be adopting the new regulations, but the Government moved to quash all talk of a non-GDPR compliant UK by publishing the Data Protection Bill in August 2017, which will transfer the GDPR into UK law by way of a new Data Protection Act in 2018. This will ensure that the principles of the GDPR will be maintained as and when the UK leaves the EU.

Why is it important? So, if that’s the whistle stop tour of why the GDPR is here, why does it matter to the average, long suffering operator of a business in the UK?

Equivalency: The data industry is a huge part of the UK economy (rumoured to be worth £322 Billion by 2020) and with the expansion of its definition under the GDPR, ‘personal data’ forms a large part of that. The EU has stated that any country failing to implement data privacy laws equivalent to the GDPR will not be able to transfer the personal data of EU citizens across its borders. The failure of similar schemes in place between the EU and US (the collapse of the Safe Harbour agreement in 2015 sent the US scrabbling for an alternative mechanism for cross border privacy protection agreements resulting in Privacy Shield 2016) has demonstrated the importance of such equivalency.

Fines: It’s almost impossible to pick up a paper, walk past a billboard or chat to a colleague without the obligatory discussion of astronomical fines soon to be ushered in by the GDPR and these are no laughing matter as the Information Commissioners Office will now have the ability to fine companies up to €20m or 4% of global turnover (whichever is higher). The costs of damage to brand and reputation through poor data handling practices (which has always been present) could soon be matched or exceeded by the potential fines the ICO has at its disposal under the GDPR.

Customer Service: An alternative way to view the GDPR is as a piece of legislation which places the individual at its core. After all, those of us running a business with the potential burden stemming from the forthcoming changes in data protection law are also individual data subjects. It’s our data that is collected, stored, utilised, sold for profit, and hopefully not lost, misplaced or abused.

Under the GDPR individuals enjoy increased rights to control over their personal information, which include:

• The right to access their data (with tighter time frames for compliance by controllers), as well as being given greater information about the circumstances of processing and how long it will be held for (Art.15); • A new right “to be forgotten” which allows for individuals to request that their data is erased under certain circumstances (Art.17); • A right to be informed if a data breach poses a high risk to their rights (Art.34); and • A right to object (Art.21) and to restrict processing (Art.18). Although all of these expanded rights may conjure up visions of red-tape and increased administration, the alternative is to consider that correct preparation for each allows for: • Streamlining of internal processes to locate the whereabouts and worth of all data being held; • Conducting data minimisation audits, which is an accepted method of building efficiency into an organisation’s processes; • Installing the correct level of cyber-security and internal systems to prevent the loss and corruption of vital information; • Ensuring that those customers whose data you are processing and spending money on targeting are still engaged and show potential to interact with your business; and • Ensuring that all processing is necessary for the purposes of the business, rather than taking up precious resources that could be used elsewhere.

Conclusion: Understandably, for those at the beginning of their GDPR compliance journey, the media focus is making the proverbial carrot appear a long way from the ever-present stick. The forthcoming requirements of ‘privacy by design’ and ‘ongoing accountability’ seem alien to many but are quite possibly already part of your existing practices. The correct first step is to understand where you are now and how far you have to go to be compliant. Conducting a gap analysis to assess the level of work required is an absolute must. Once you have identified the degree of work that needs to be undertaken, it is imperative that you build a plan and allocate the time and budget required to ensure compliance by 25th May 2018.

That was a (reasonably) brief introduction to the GDPR. In our forthcoming articles we will be taking a closer look at what the key changes are, their potential impact on businesses, and the smart measures to take to maximise the benefits and minimise the risks.

If you would like any advice on complying with the GDPR or our data protection services, please get in touch by emailing [email protected] or calling 01603 339044.