The European General Data Protection Regulation
In May 2018 the European Union will launch the largest shakeup of data protection legislation since the Data Protection Act (DPA) came into force in 1998.
That’s when the General Data Protection Regulation (GDPR) comes into force. Unlike the DPA before it, which was a Directive, the GDPR is a Regulation. The difference is that Directives have to be individually made law by member states, which buys you a bit of time (the DPA took an extra year to become UK law), while Directives like the GDPR are legally binding immediately.
The GDPR is in many ways a noble pursuit. The world has moved on since the inception of the original Data Protection Act. We have created a world of the Internet of Things, self erasing photo sharing apps, the ‘right to be forgotten’, biometric security, two factor authentication, cyber bullying and advertising so targeted we spend our lives in cross hairs.
And that’s just some of the more recent privacy concerns – when the original DPA launched Facebook was still six years from being launched. MySpace wouldn’t come along for another five. There wasn’t a gap in the market for Twitter to identify and Snapchat would have worked pretty poorly on our Nokia 5110s.
So our data protection laws are due an update, and if advertisers and huge companies have to treat our personal information with the respect it deserves, even deleting it if we ask them to, then surely that’s a good thing for us, the consumer. The individual.
But what about businesses? What kind of changes do we face as employers? As customers and suppliers? As recruiters and human resources managers? As IT managers and payroll clerks?
The short answer is: quite a few.
Over the coming weeks, we will attempt to provide the long answer.
But… Brexit, Right? Come on, Brexit?
The government has already confirmed that the UK will take on the GDPR regardless of its membership of the EU.
Not only will we still be in the EU when the GDPR becomes law, but the government have committed to replicating the rules on our exit. You may hear talk of the Data Protection Bill over the coming months, which is the legal framework which will enshrine the GDPR in UK law post Brexit, but as it stands at the moment they mean the same thing in all the important ways.
It’s important to keep in mind these two points:
- We’re still in the EU, and will be when the GDPR becomes law. When this happens the Data Protection Act will be repealed.
- The Data Protection Bill will replace GDPR, not the Data Protection Act.
Or, to put it more succinctly…
The GDPR Is Coming…
It may not be massively publicised (yet), but it’s coming and it’s staying. In a couple of months time some of the big companies will start making their adjustments, and you’ll see more and more evidence. Just recently, for example, I received an email from Google informing me of their changes for the GDPR, I noticed Twitter had changed their cookies banner to acknowledge the transfer of data outside the EU (very much a GDPR thing) and I got an email from a hotel chain asking me to ‘re-opt in’ to their marketing emails.
Despite the looming, sub six months deadline, only 5% of EU companies feel prepared for the GDPR. In the UK we can certainly put a lot of that down to the uncertainty that Brexit has caused, and also perhaps a reaction to the stupendous fines that have been announced. For serious breaches of the GDPR companies will be liable for a €20 Million or 5% of turnover fine, whichever is greater. As that kind of fine would put many SMEs out of business, there is perhaps a reluctance to take the threat seriously. Or at the very least an assumption that there will be a year or two grace before things get serious. And maybe there will.
Any law is only as strong as its consequences, and perhaps it will take something like when, under the current Data Protection Act, Talk Talk were fined £400,000 by the ICO for a data breach to force SMEs to take action.
There are new personal liabilities to consider too, and we’ll be looking at the roles of Data Controllers, Data Processors and Data Protection Officers over the coming posts.
Still though it feels like British businesses are slow to get out of the starting gate.
There are details of the GDPR that every business owner needs to be aware of. Things like ‘privacy by design’ and ‘privacy by default’, right through to the difference between ‘implied consent’ and ‘explicit consent’.
It may be that you’re able to hold out, and that the fines aren’t really enforced, and things can carry on pretty much as normal – at least for a year or two.
But what happens when your customers start asking questions about compliance? What if it becomes a factor in stakeholder decision making? How will you compare against a company that wears its GDPR compliance on its sleeve?
Over the coming weeks we will try to offer some advice and guides on what you need to do and how to go about it.
One final note though, is there isn’t need to panic. If you follow the rules of the Data Protection Act reasonably well then there’s no reason why you can’t conform to the GDPR without too much of a headache.
And if not, then take solace in this:
You know those pre-ticked check boxes on forms that threaten to send you junk mail for the rest of your life unless you make sure to read the small print three times to ensure you’re supposed to uncheck the box if ‘you don’t want them to not unsend you no information’?
They’re illegal under GDPR.
The GDPR is a big deal. While we’re attempting to create a readable and accessible introduction to the GDPR, our comments here should not be considered legal advice. The best individual place for GDPR information in the UK is the ICO Website. You may also wish to obtain your own legal advice, which, again, this is not.