We will all have received emails urging us to spend a fortune on software or consultancy to save us from the “perils” of the General Data Protection Regulations (GDPR) which are coming into force on 25th May 2018. This article seeks to put GDPR into context and explain why we should be sanguine and measured in our response.
Regulation (EU) 2016/679 is the European Parliament’s response to the fact that due to the fantastic power of computers, the movement and sale of personal data both legally and illegally, has become big business. The regulations seek to keep safe and control the processing and movement of data in a consistent way across all the member states of the EU. It also applies to those states that trade with EU members. The Regulations have direct effect; every member of the EU is subject to the them without the need for their own legislation.
The fines for breaches can be up to a maximum of 20 million Euros or 4% of worldwide turnover, whichever is higher. Our own Data Protection Act 1998 provides for a maximum penalty of £500,000.00.
The GDPR includes novel provisions such as:-
- “Privacy by design”. If we design a new data system privacy should be built into it.
- “Data protection impact assessment”. A requirement to assess the impact on data protection caused by any new system.
- Breach notification. If we know of a breach we have to notify the relevant stakeholders .
Our own Government has cottoned on to the fact that our Data Protection Act 1998 is now fairly useless in regulating and punishing powerful users of personal data; e.g. social media, companies like Facebook; financial institutions; and marketing companies. So the Data Protection Act 1998 will be repealed and replaced with an Act which is currently going through parliament. It confirms that we are subject to the GDPR but “tunes” our legislation to ensure we are consistent with GDPR and are a “safe haven” for data coming into Britain from the EU post Brexit. Politically and economically it makes perfect sense.
What does not make sense is a hasty exaggerated response by UK business to the change in legislation. The risks after 25th May 2018 and the UK Data Protection Act will be exactly the same as before i.e. people stealing, hacking, and negligently disclosing, personal data. We can deal with those risks, as we have up until now, by maintaining strong cyber security systems and training and managing our staff so they do not abuse personal data. The UK enforcement authorities such as the ICO will essentially have the same resources and facilities to deal with the transgressors as they have up until now.
The sensible response by UK business will be to look at the ICO guidance “Preparing for the General Data Protection Regulation”;and make a measured review of their business, check their systems are fit for purpose; upgrade as necessary, and train and manage their people on the new regime.
Unless we are actually in the business of lawfully selling or analysing data, then the best approach is for us to understand that we do not own personal data and cannot treat it as though we do. We merely hold it as trustees; and only for the purpose for which it was transferred to us. If we implement that approach then all will be well.
If you have any concerns about the new Data Protection regime or the implications for your organisation, please contact Kevin Basnett.