It is now exactly one year until the Global Data Protection Regulations (GDPR) comes into effect across Europe. The countdown is well and truly on for organisations to get their houses in order and become compliant.
There has been a huge amount of discussion concerning the topic over the last year or so, and plenty of confusion about what the rules actually mean and what the penalties are for falling short.
Here, Silicon takes a closer look at one of the EU’s biggest ever privacy regulatory shake-ups and outlines why you really do need to pay attention.
GDPR was approved by the EU Parliament on 14th April 2016 after four years of discussion and will come into effect on 25th May 2018 for all businesses operating within the European Union.
It replaces the previous Data Protection Directive and has been designed to remove fragmentation around data privacy laws across Europe, as well as give citizens new powers to control their personal information.
In the UK specifically the legislation is essentially an upgrade to the 1998 Data Protection Act (DPA). Several of the underlying principles are the same, but there are also some key policy changes that will dramatically impact how organisations approach data privacy.
The change that has undoubtedly garnered the most interest is the new penalties set to be enforced. Breach of compliance can now result in organisations being fined a maximum of up to four percent of their annual global turnover or €20 million (£17.2m), whichever is greater, for the most serious infringements such as not having sufficient customer consent to process data.
Reduced fines can also be given for less serious infringements and the Information Commissioner’s Office (ICO) in the UK – the body responsible for handing out fines – has already shown that it is not afraid to follow through with financial punishments.
Back in January, for example, it fined RSA Insurance £150,000 following the loss of the personal information of nearly 60,000 customers and followed this up with a £270,000 nuisance call fine to Hampshire-Based firm Media Tactics.
The ICO’s largest fine so far has been the £400,000 penalty it dished out to Keurboom Communications Ltd, the company behind 99.5 million nuisance calls to people across the UK.
Another key factor is the extended jurisdiction of GDPR, as it applies to all companies processing the personal data of citizens residing in the EU regardless of their location, as well as the rules for consent, which have been significantly strengthened to make them clearer and more favourable for customers.
When it comes to consumer rights, the key areas for businesses to consider include: The right to access the data that a business has on you; the right to be forgotten, i.e erased from an organisation’s database and the right to be informed about what your data is being used for.
Businesses will also have to adopt a ‘Privacy by Design’ concept where data protection is built into systems from the outset rather than being added in later on.
“GDPR is a game changer in every way, from bolstered rights for individuals through to a daunting new fine structure designed to hit companies exactly where it hurts – their bottom line,” commented Dr Jamie Graves, CEO at ZoneFox.
“It is the sort of overhaul that gives even the most seasoned executive team sleepless nights, due to its complexity and how it touches on every aspect of their business.The starting gun has officially been fired and one thing is for sure: from day one, the EU will not be accepting excuses.”
A report in February of last year suggested that the majority of organisations were not confident in achieving compliance in time, followed by a study which found that just four percent of UK businesses understood the data regulation impact.
And those hoping that Brexit will prove to be a get out of jail free card will be disappointed, as the UK government has unequivocally stated that the new rules will come into effect before Britain leaves the EU.
However, the current level of preparedness. is believed to have improved. At a roundtable hosted by Kaspersky Lab, multiple industry experts outlined how the general feel is that businesses are moving from a state of awareness to one of understanding and preparation.
“What we’re seeing from a TechUK point of view at the moment is a real move from awareness that GDPR is coming to a greater understanding about what exactly is coming in a year’s time and what they need to be ready for,” said Sue Daley, head of cloud, data, analytics and AI at TechUK.
“Businesses are in a process of getting ready. Everyone is looking at this and looking to get ready which is absolutely vital.”
This thought was echoed by Jo Bance, head of global marketing at SQS, who said: “[GDPR is] a term that is recognised by everyone. It’s definitely gone through this stage of ‘what is it and does it impact us?’ to then giving someone the DPO [Data Protection Officer] responsibility and someone being responsible in the company for really breaking it down.
“There’s a lot of legal jargon and you need to understand it internally, so it’s going through that cycle of awareness.”
Of course there is still plenty of work to be done, but in a general sense businesses appear to be on the right track.
And, with such serious financial and reputational penalties waiting for those who are slow to conform, this preparation cannot be completed soon enough.
How much do you know about the European Commission? Take our quiz!