On the 25th of May, a new data protection legislation, GDPR, will come into effect, after which companies will be obligated to obtain individual consent to gather personal details while being more open about how the information gathered will be used. GDPR will change how businesses and the public sector organisations can handle the information of their customers. What’s more, a failure to comply to the guidelines will expose companies to the risk of fines as much as 4% of said company’s global revenue.
But there isn’t much to stress about, as the vast majority of companies and businesses already abide by data protection regulations that are set by countries governments, and the introduction of the GDPR will bring only minor changes. The UK information commissioner is frustrated with the amount of scaremongering around the introduction of GDPR. “The GDPR is a step change for data protection. It’s still a evolution, not a revolution.” Companies in the UK will have had two years to make the necessary changes to their data protection rules when may 25th rolls by, and the introduction of the government's new data protection legislation, which itself implements the vast majority of GDPR was published in September 2017.
The bill published in September 2017 will implement GDPR in the UK law and largely cover all the main areas of the EU regulation. However, there is some flexibility on how individual countries implement GDPR. Our government says its bill set out a number of exemptions from GDPR. These include extra protection for journalists, scientists and historical researchers. In addition to these, any anti doping body is also subject to exemptions, as they need sports people’s data.
So, overall, this new data protection legislation is anything too scary, and for the most of us, its actually a source of comfort and reassurance. Over the past few years, there have been some massive data leaks with the likes of Yahoo, and most recently with Facebook. Although its comforting to see that there is something being done, what does this all actually mean? And what does this mean for the companies that need to abide by the GDPR legislation, and which companies in particular?
Individuals, organisations and companies that are either controllers or processors of personal data will be covered by the GDPR. Also, if you are subject to the DPA, our old data protection legislation, it is likely that you will also be subject to the GDPR. Both personal and sensitive personal data are covered by the GDPR. Personal data, a complex category of information, broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address and so forth. Sensitive personal data encompasses genetic data, information about religion and politics, sexual orientation and similar.
These definitions are largely the same as those within current data protection laws. Where GDPR differentiates from those laws is that pseudonymised personal data can fall under the law – if it possible that a person could identify a pseudonym. For a company over 250 employees, there’s a need to have documentation of why peoples information is being collected and processed, descriptions of the information that they hold, how long it is kept for and descriptions of technical security measures in place.
Additionally, companies that have regular and systematic monitoring of individuals at a large scale or process a lot of sensitive personal data will have to employ a data protection officer, for many companies this may mean hiring a new member of staff. The DPO reports to a senior member of staff, monitors compliance with GDPR and be a point of contact for both employees and customers.
So, to summarise everything in a nutshell, come the 25th of May, the laws of keeping and protecting data should refine the ethical nature of it. For us regular folk not in charge of multi million pound companies, the change doesn’t really affect us, but for them, it may be a bit annoying, but the overall conclusion will greatly improve how well we are looked after by both start ups and giants alike.