GDPR (General Data Protection Regulation) 2018
(General Data Protection Regulation) 2018
What is GDPR & How It Will Impact Business Owners in the UK
The idea of General Data Protection Regulation (GDPR) compliance checklist was brought out for the first time in January 2012. This was after it was established that there was a need to make the whole of Europe fit for the digital age, in terms of data protection. The plans were first conceived by the European Commission with the aim of ensuring that EU citizens had a streamlined data protection policy. Here in the UK, GDPR will replace the Data Protection Act that was passed in 1998; the Data Protection Act itself was meant to implement the EU’s Data Protection Directive of 1995. At a time in history where people are sharing so much of their personal data with different organizations online and otherwise, there was a need to regulate how and what such organizations could do with your personal data. Think of the personal information you share with Google, Amazon, Facebook, and many more. It’s only recently that Facebook faced global backlash for improper use of people’s data when they let Cambridge Analytica use user’s personal data for political purposes; Facebook CEO was forced to apologize to billions of Facebook users around the world and promised never to let that happen again. Such scenarios are what has triggered more anticipation for the implementation of GDPR.
UK businesses and companies that fail to comply with GDPR risk being hit with hefty fines. Even with the current uncertainty about exactly how BREXIT will be rolled out in the coming years, truth is that the UK still remains a part and parcel of Europe. After all, the streamlining and realigning of data protection laws across Europe benefits everyone.
Important things to note about GDPR
- It took 4 years of debating and consensus building before the EU parliament finally approved GDPR. However, the enforcement date was set for 25th May 2018. As such, any company or organization that won’t have complied with this directive will be heavily fined for non compliance.
- Once GDPR comes into effect later this month, it’ll replace the earlier Data Protection Directive 95/46/EC. It’ll seek to empower and protect EU citizens from having their data misused. It also drastically changes the way organizations out there handle your data, and how they use it.
- Even with the existing data protection laws, many people still suffer from misuse of data by individuals and organizations. Think of the example we gave earlier on of Facebook and Cambridge Analytica; the latter harvested over 50 million Facebook Profiles for use in influencing elections in the US. But once GDPR comes into force, such blatant misuse of personal data by organizations will become a thing of the past.
- With the GDPR terms and specifications, organizations will be expected to ensure that all personal data they have has been legally collected. They will also be responsible for ensuring the collected data is managed and protected from exploitation and misuse. Compliance with this directive also calls for the respect of the data owners.
- UK Companies have to comply with IT requirements pertaining to data flow mapping, as well as risk assessments to ensure that robust safety measures are in place.
People affected by the GDPR framework
The GDPR framework relates to any organization that is operating within the EU. The legislation of the GDPR applies to controllers and processors. The definitions and the roles to be played by each are well stipulated in the GDPR regulations. In legal jargon, GDPR framework will mostly affect controllers and processors. A controller in this case, could be anyone that primarily gathers or collects data from the user. The processor is the one doing the actual processing of the data. So, think of an organization or even the government that has access to your personal data as the controller, while the IT experts/firm hired to process the data as the processors. Both will be held responsible for any violation of GDPR; it doesn’t matter whether the controller or processor is based within the UK, France, Silicon Valley, China, or wherever. As long as one is operating within the EU or handling data from EU citizens then the directive will apply. In fact, controllers will have a bigger responsibility of ensuring that the processor they pick abides by the rules and regulations stipulated in GDPR.
What Is Personal Data, According To The GDPR?
In simple terms, personal data is any kind of data that is considered personal to an individual. This includes names, photos addresses, phone numbers, and such like. But an interesting thing to note, and one that differs with previous data protection rules, is that with the GDPR directive, the definition of personal data has been extended to IP addresses, generic data, biometric data or any other information that would be sensitive to a consumer.
When Will GDPR Become Effective?
Unless something changes, the framework will come into effect from 25th may 2018. Seeing that the directive is an EU passed legislation, all member states were expected to have complied and domesticated the rule by law by 6th may 2018. Official scripts and regulations of the directive were shared in all the recognized languages of the union and availed to all member states for reading early 2016. This means that all the organizations and entities attached to the EU had enough time to prepare for this adjustment; no one can claim that they weren’t informed.
Brexit impact on GDPR;
So that happens when the UK formally exits the European Union, will the directive still apply? Well, this is a legit question that deserves a clear answer. Brexit talks are yet to be officially concluded, but the indications are that the UK will formally leave EU in March 2019. According to UK government sources the divorce with EU will be such that some rules and regulations whose interests are in line with the UK’s own rules, will be maintained. In this regard, GDPR will hardly be affected by BREXIT; the data protection rules enshrined in GDPR will remain. Thus, controllers and processors based in the UK will be held culpable for any noncompliance or breach of the directive.
Effects of GDPR to businesses
- With the GDPR framework, there will be an establishment of one rule across the region. Like aforementioned, the legislation of this framework would extend beyond Europe borders in that a foreign company based abroad would still be bound by this directive if it’s handling personal data of EU citizens.
- By implementing this directive, there are a lot of hopes that it will profit many businesses not just here in the UK, but in the larger Europe. With the adoption of the directive, there will only be one supervising authority which means it would be easier and economical for companies to operate in the region. According to projections by analysts, the framework may help companies and organizations operating in the EU save over €2.3 billion a year.
- By introducing the GDPR framework, it means Europe will be unified therefore creating more business opportunities and room for innovations. The framework also means the products and services of the various organizations will have some guaranteed protection.
- The framework will help organizations create a better platform for making use of recent technologies in selling their products.
- Lastly, the GDPR framework will give organizations a better framework for encouraging them to embrace techniques that will see them benefit from gathering and analyzing data, as their privacy will have a guarantee of protection.
The Effects Of GDPR To UK Citizens;
- In the recent past, there have numerous cases of data breaches and hackings particularly targeting ordinary citizens. This is especially common with email addresses, social security numbers, private health measures, and passwords.
- Through the GDPR framework, the risks mentioned above and data breaches will be a thing of the past. The framework will in this case, always ensure every consumer gets a notification once their data has been compromised. As long as you willingly shared your personal data with a company, the company owes it to you to alter/inform you anytime the info gets breached or compromised.
- Companies and Organizations also referred to as controllers, will be expected to ensure proper measures have been put in place to ensure citizen’s data is safe and secure.
- Additionally, consumers and citizens have been promised smoother handling and access to their data. This includes how their data is being processed as well as ensuring organizations use and stores their customer’s data in a safe, secure, and verified manner.
- A controller will be expected to seek permission from their customer/ data owner, before using, sharing their data with third parties. As such, the framework will ensure that all the rights of the consumers are better protected.
- The customers have also expressed a sigh of relief and appreciated the move since they now have more say on how their personal data can be used by controllers. The compliance team from GDPR has been very clear on the need for organizations to always seek consent from customers and clients, before using their personal data for other extra purposes.
- GDPR framework is similarly set to introduce a new norm on the right to be disremembered. This is aimed at ensuring individuals who no longer feel the need to be part of an organization can have their data deleted and forgotten. This is yet another crucial point that businesses will be required to keep in mind once the GDPR framework comes into effect.
What Breach Notification Means Under GDPR;
- Once the framework comes into effect, it will introduce a platform where organizations will be responsible and required to report any case of data breaches. This will include unauthorized access and loss of individual data to authorized persons. Thus, organizations will be required to notify and inform the owner of personal data, incase their data has been compromised or used in improper ways.
- Among the key things that will be achieved through the Data Breach Notification platform, is the reservation of the privileges and freedom of the consumers and reduced discrimination. Others scenarios that GDPR will help in curbing include loss of privacy, financial loss or any additional social or economic disadvantage that may arise as a result of personal data breaching.
- The directive explicitly states that notifications will be done, not just through electronic and print media, but also via a phone call where the data owner is informed of the breach on their personal data. Better still; the notification will have to be made to the concerned data owner within 72 hours since when the organization became aware of the data breach. In serious scenarios where the citizen or data owner faces serious damages from the breach, the organization will be expected to promptly inform them without any delay.
Fines For Non Compliance To GDPR;
- As per the GDPR breach notification rules, any controller or processor who fails to comply risks a fine of up to 10 million Euros, or 4% of the company’s annual turnover. Well, you can imagine what a 4% fine on a company like Facebook’s annual turnover would be; millions of pounds.
- The fines will also depend on the magnitude of the breach; for instance, serious cases such as a unauthorized data transfer of personal data, failure to/ignoring their request to access their personal information will be attract a heftier fine. This could attract a fine of up to 20 million Euros or 4% of the Organization’s/company annual turnover worldwide.
Under the GDPR directive, every UK business and company that handles or deals with personal data will be required to appoint a Data Security Officer. The officer will be responsible for processing special categories of data and monitoring the security of their customer’s data. Failure to appoint a DPO will be interpreted as non-compliance, which means that a fine will be inevitable. UK Organizations and companies now have to consult professionals who’ll advise them on how to abide and conform to this new directive. It’ll mean being keener before picking processors to work with, it also means that they have to use the best software that offers maximum protection on customer’s personal data. As a company or organization, you have an obligation to ensure that any third parties you pick to work with have complied with this directive, that their data protection policies are up to date and in accordance with the laid down rules and regulations.