Just to be clear this post contains information which is timely and relevant to any business with an online presence. This includes companies who manage data internally only and those who primarily deal with paper-based processes.
The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the European Council and the European Commission intended to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Prior to the 30th of March, where the government announced that EU law would be transcribed into UK law, there was some discussion whether the UK would adopt some of the larger changes it presented. Following this decision by the government though, it is now clear that for some companies, they will have to take certain factors into account or risk fines from the governing body, the ICO.
This new regulation contains clear guidelines for large businesses, such as reporting data transmission between countries (with a new Privacy Impact Assessment (PIA) process), creating a data breach response plan and assigning a Data Protection Officer (who is now a protected employee). There are some minor changes to data collection, with cookie acceptance now a requirement, opt-ins must now be actively selected (rather than being auto-selected). There is also a new right for consumers to object to profiling (collecting sensitive data which is not being used for the purposes of consumer testing).
Companies must also abide by their own countries compliance regulations (rather than the company they are trading in) and will have one point of contact who will manage all their global compliance needs (rather than separate ones in each country).
The largest and most important change is the increase in penalties for being found negligent during a data breach (now with fines upto €20 Million or 4% of annual global turnover).
What isn’t included?
What was not really present in the new regulations, however, is any thought to consumer protection, focus on issues such as countering Ransomware or thought towards the technology of tomorrow – especially with big data now a huge issue.
The subject of employee devices in the workplace (BYOD) was also not addressed, nor the impact of Mobile technology or mobile app security, which are red hot topics right now. In short, this new set of regulations brings with it plenty of red tape and quite an old fashioned approach to data protection in the grande scheme.
When does it take effect, and what do I need to know?
There are two key changes which take effect on May 25th 2018 which businesses and consumers need to be aware of. Please note that if you trade internationally, there are changes to the requirements for data protection in an attempt to normalise within the EU region, rather than exclude because of trade out of those regions. Brexit and the UK’s move away from the European has no effect on the GDPR: companies in the UK must adhere to the new compliance standards set out in the GDPR or risk significant fines if they breach any of the new rules.
- The Right to Object to Profiling.
Under the new regulations, consumers gain new rights to stop companies using their data. Profiling is broadly defined and includes most forms of online tracking and behavioural advertising. New regulations require: a. The fact of profiling must be made aware to the consumer and b. to track user data, a PIA is required.
- Mandatory Privacy Impact Assessments (PIA)
Businesses will be required to perform data protection impact assessments (PIAs) before carrying out any processing that uses new technologies (and taking into account the nature, scope, context and purposes of the processing) that is likely to result in a high risk to data subjects.
In particular, PIAs will be required for: A systematic and extensive evaluation of personal aspects by automated processing, including profiling, and on which decisions are based that produce legal effects concerning the data subject or significantly affect the data subject; Processing of special categories of personal data or data relating to criminal convictions and offences on a large scale; A systematic monitoring of a publicly accessible area on a large scale.
The NDPA will publish a list of the kind of processing operations that require a PIA. Data controllers can carry out a single assessment to address a similar set of similar processing operations that present similar high risks.
A Word on the Future of Data Protection
In 2017, the world is an exciting place – full of change, hope, opportunity and potential risks. It is also full of IT companies who are taking over management of IT environments. With outsourcing now a viable option with the majority of services delivered via the Cloud, it will likely fall to the outsourcing companies to protect their customers from harm.
In many respects this means working proactively to protect the business market and having measures in place to ensure total resilience against different types of threats – both those with exist now and those which will emerge in the future.
This change is critical when considering how companies manage their IT environments. Where companies used to be responsible for their own servers, backups, anti-virus and internet protection, now experts are setting up these environments with the explicit aim of making them impenetrable. Technology is shifting from a luxury which is self-managed to a necessity which is delivered as a service.
In the future it seems that the effectiveness of a data protection approach will rest on the level of business investment. From a consumer standpoint, the world will be a shaky place – full of grey areas and bad ideas, but as sharper controls hit the business world, consumers may see some uplift in their protection, with the number of active criminals decreasing in the cyber world.
It’s easy to be all doom and gloom, and the likelihood is that this problem will solve itself in the long term, but in the short-term it will be an ongoing issue. While this new regulation will probably not change the world, it may prompt private companies to take matters into their own hands.
Why not learn more about IT Outsourcing and the Protection it provides?
You can see our IT Solutions and Services here or call us on 01268 627111 to learn more.