The General Data Protection Regulation (GDPR) has been finalised by the European Union and will come into effect from May 2018. It replaces all data protection legislation in European Union (EU) member states such as the Data Protection Act 1998 (DPA) in the UK.
The GDPR includes new and improved privacy rights for individuals within the EU, such as “the right to be forgotten”. The new obligations relate to the collection, use and transfer of consumers’ personal data. The official interpretation of Personal Data is “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, and posts on social networking websites, medical information, or a computer’s IP address.”
But why now – it doesn’t come into force until the middle of 2018?
You may think that with over 12 months still to go, it’s plenty of time to put something in place, but this is not a small issue that can be overlooked. The new regulation introduces severe penalties for breaches of the GDPR with legislators able to impose fines of up to €20 million or 4% of an organisation’s global annual turnover in order to ensure compliance. That’s a lot of money.
Don’t we already have something similar in each countries own Data Protection Acts?
The GDPR will require organisations to have a legitimate reason for processing personal data. Consent can be given by a written, electronic or oral statement. This could include the data subject ticking a box when visiting a website or choosing technical settings for social network accounts. Importantly, pre-ticked boxes or inactivity will no longer equal consent. The remit of the GDPR goes a lot further than existing Data Protection legislation in other countries.
In an interesting development, individuals will now be able to request that their personal data is erased by the organisation and no longer processed. This is called the ‘right to be forgotten’).
If I am in the UK then Brexit will save me, won’t it?
Although the UK is in the process of leaving the EU, the triggering of article 50 will take 2 years to complete. So the UK will still be a member of the EU in May 2018 and all UK organisations will almost certainly have to implement these regulations. As this is also a ‘common-sense’ piece of EU legislation, there is no reason to suspect it will be repealed as and when Brexit does come into force. It really isn’t worth taking the chance.
So how do I find out more? What should I do next?
Fortunately, there is plenty of professional help and guidance available and some forward-thinking organisations, such as Deloitte, with the GDPR Consent Management Framework based on K2, have developed easy to implement solutions that can take away the headache based on sound legislative principles.
Deloitte and K2 will be running a series of events, webinars and seminars, on the topic of GDPR and how to solve the challenge and we look forward to sharing the skills and knowledge we have gained already. The threat of fines is all too real, however the chance to protect citizen’s personal data once and for all presents us with an opportunity too good to miss.
If you would like to learn how K2 and Deloitte can help your security, regulatory and privacy teams grasp the action plan necessary for GDPR compliance join our “The General Data Protection Regulation (GDPR) Deadline is Coming – Get an Action Plan!” webinar with Bart Eynatten, Senior Manager in Analytics and Information Management at Deloitte on June 7th.