Do you know about GDPR? If you don’t, then read on – but be warned, it involves data protection, the EU and regulation, which is probably why you have avoided reading about it in the past.
Let’s start with an example of its likely impact. TalkTalk received a record £400,000 fine from the Information Commissioner’s Office for the failings that led to its notorious data breach. This is 80% of the maximum fine that the ICO can impose. Under the GDPR – the EU General Data Protection Regulation – a similar incidence of non-compliance would expose TalkTalk to a maximum fine of over £70m. What would non-compliance mean for your organisation?
The deadline for the implementation of GDPR is May 2018. It will replace the ageing EU Data Protection Directive and is the first major rewrite of European privacy laws in 20 years.
You might think that, after Brexit, the GDPR will be irrelevant. Not so – the UK will still be a member of the EU in 2018. Could we opt out later? No – the rules are designed to establish a single, pan-European law on data protection, replacing an inconsistent mix of national laws. is means that any company, regardless of whether it is established in the EU, will have to apply EU data protection law if it wishes to offer its services in the EU. Some 78% of the UK’s economy is based on services, which are usually highly dependent on the free movement of data. The UK will therefore almost certainly retain the GDPR, even if it calls it something else. Plus, both the ICO and UK government have pushed for reform of the EU law for several years as they see better data protection as an important part of supporting the evolution of the UK’s digital economy.
The overarching aim of the GDPR is to strengthen citizens’ data protection rights and build trust. Its five main elements are: a “right to be forgotten”, when individuals no longer want their data used, unless there are legitimate grounds for retaining it; easier access to your own data, with more information on how it is used, including a “right to data portability”, making it easier to move your personal data between service providers; a “right to know when your data has been hacked”; a requirement to ensure data protection “by design” and “by default”, building safeguards into products and services from the earliest stage of development, for example by establishing privacy-friendly default settings on social networks and mobile apps; and, lastly, stronger enforcement including fines of up to 4% of global turnover, hence the potential impact on TalkTalk.
The idea is that data now drives commerce and that better standards of data protection, coupled with greater trust, will fuel growth, create business opportunities and help to power the expanding digital economy. It is estimated, for example, that the value of European citizens’ personal data could be worth nearly €1trn a year by 2020. GDPR is seen as key to growth, replacing a patchwork of national laws, no doubt to the chagrin of Brexiteers, with one law. This means companies operating in the EU will deal with one law, not 28 (or 27), saving – we are told – an estimated €2.3bn a year.
You need to know about GDPR, even if you don’t support its aims.