GDPR: What it is, What it does & What it can (or can’t) do for you:
One of the best known acronyms in the data-world, GDPR is set to impact businesses and the way they interact with data.
GDPR (General Data Protection Regulation), four years in the making, will define the way in which data ought to be treated and protected, aligning itself with the ever-evolving manner in which data is utilised. It’s a legal update on its predecessors, such as the Data Protection Act of 1998, as current legislation does not factor in recent technological advances such as cloud technology, which can supersede existing laws that do not feature the latest innovations and exploit data. Furthermore, GDPR is a way for businesses to operate within an even and clear legal framework, as it will be rolled out across Europe.
A long time coming, some might argue, but what will GDPR mean for consumers? It will mean the protection of sensitive information from those who relinquish their data to companies, and give individuals more say over what happens to their information.
Its impact on companies, especially those whose entire foundation is based on controlling and/or processing data, is as yet unknown. However, GDPR will signal an entirely new era of data management, acquisition and protection, one that will require a lengthy education on the matter. So, here are the 10 key points of GDPR:
Businesses that extract data from EU citizens, even if they reside outside of Europe, will be subject to GDPR.
The Data Protection Authorities will have a wider scope of power with regards to penalties for breaches of personal data. In comparison to the UK, where a breach under the Data Protection Act can cost up to £500,000, under GDPR a serious violation can cost a business up to 20 million Euro or 4% of one’s annual global turnover.
The definition of personal data now includes online identifiers such as IP addresses and mobile device identity
Under GDPR, companies will be required to be explicit in their intent with the data received, and will be bound by law to seek clear consent from the consumer, rather than passive acceptance (pre-ticked boxes, opt-outs etc.) Additionally, a record must be kept of how and when an individual consented to having their data recorded, with the understanding that said individual may withdraw their consent at any time.
Both technical and organisational measures, in relation to the protection of personal data, are set to become compulsory. GDPR will outline examples of said measures, which include but are not limited to the encryption of personal data and processes available to test the effectiveness of security measures.
Companies will have to keep an electronic record of personal data processing activities. This means the lifecycle of the data, as well as the contact details of the data controller
Tests relating to data protection will come into effect under GDP, and will be required for technology that are seen as a high risk to individuals.
From May it will be a requirement for companies to report violations of personal data to the DPA within 72 hours of becoming aware of the situation. High-risk breaches (e.g: accessing non-encrypted personal data) require the individual be informed immediately.
Companies that either monitor individuals on a large scale or process certain areas of data are required to work with a Data Protection Officer, who will monitor company compliance with GDPR, performing in an independent manner.
Fundamentally, GDPR is concerned with data protection, advocating both privacy by design and by default.
Data protection is of paramount importance within the GDPR narrative and beyond. The need to protect individuals from identity fraud and phishing is more urgent than ever, with criminal responses to technological advances becoming increasingly sophisticated. Thus, both consumers and data-driven industries need to be shielded from dangers that are not covered in legislative Acts currently adhered to by various EU countries. For companies, it has been recommended that they appoint an aforementioned Data Protection Officer, who will be responsible for overseeing data protection strategy, in addition to its implementation, to ensure compliance with GDPR requirements. Their role will include, but is not limited to:
- Training staff involved in data processing
- Conducting audits to confirm adherence and addressing potential issues proactively
- Being the point of contact between the company and GDPR Supervisory Authorities
There is not much one can ascertain from GDPR, in spite of its in-depth nature. However it is imperative that companies adhering to the legislation fully comply with the new laws of the tech-land in order to avoid a hefty fine. GDPR is a long-awaited update on legislation that could have never envisioned the direction that the Internet has gone in. it will redefine the way in which data is handled and utilised; creating a fairer, safe tech-society.