Views, News & more
Though it may look more like the internet’s latest four-letter acronym, the GDPR is no laughing matter - and it doesn’t stand for “Great Dogs Perform Rap”, “Grandad Definitely Prefers Raisins” or anything of the sort.
No, it actually stands for the - try not to yawn - EU’s latest fun bit of data-based legislation, the General Data Protection Regulation. Not only is the title snappy and exciting, but also very descriptive: it houses a new set of laws that will protect the rights of individuals’ data at companies with any operations within the Union.
Ultimately, it will let users of any online services - whether their Facebook accounts, Amazon shipping information or more comprehensive cloud computing package - to control their data.
The EU’s official GDPR legislation document is, as you might imagine, a big jumble of legalese and thousands of clarifications of how the laws will apply. Not exactly perfect bedtime reading, unless you really need the help nodding off.
It identifies two classes of service providers who will come into regular contact with users’ personal info: ‘controllers’, who state how and why personal data is processed, and ‘processors’, who actually use the data stored.
Controllers could be one of any number of different organisations, including government agencies, charities and profit-seeking companies. Processors, on the other hand, will tend to be IT firms or related services that are more involved in the collection, collation and transmission of personal data.
Once in effect, controllers must ensure personal data is processed lawfully, transparently and for a specific purpose. Once that purpose is fulfilled and data is no longer required, it must be deleted. So, no more holding onto thousands of Twitter logins to boost your company’s follower count.
It also applies to any company that has operations or activities in the EU, not just those that are homed here. That means that the Amazons and Googles of this world will have to abide.
There are more laws that obligate all parties to report data breaches instantly, to hire a data protection officer if needed and to properly structure any user agreements to use or process their information.
On that last point, controllers must keep a record of how and when individuals give their consent for data to be stored. Users can withdraw this consent at any moment if they choose, too. If your current model for obtaining consent doesn't meet these new rules, you'll have to bring it up to scratch or stop collecting data under that model when the GDPR applies.
It is down to the controller in each instance to ensure that processors abide by data protection laws and best practices but, crucially, if processors are involved in a data breach, they are far more liable under GDPR than they might have been under the UK’s Data Protection Act, for example.
Those that fail to alert the relevant authorities of a breach within 72 hours could face a penalty of up to 2 per cent of their annual worldwide revenue, or €10 million, whichever is higher.
The GDPR will come to apply to all EU member states - including the UK, no matter the eventual outcome of Brexit - from 25 May 2018.
Just to be sure, the UK government has put forward a new Data Protection Bill this August that largely mirrors the GDPR’s requirements. This new bill includes the right to be forgotten but extends this to include social media posts from earlier in users lives - meaning you can finally be shot of those embarrassing teenage opinions concerning I’m a Celebrity - Get Me Out of Here you chose to share in 2008.
The UK government will also extend the concept of “personal data” to include IP addresses, DNA and internet cookies, a far broader range than GDPR’s.
The hope is, according to Digital Minister Matt Hancock, to make sure the UK remains a safe place for EU firms to do digital business.
With under a year left, what can you do to get ready? Tune in to next week’s blog to read our top tips for getting GDPR-prepared.