GDPR is All About Evolution, Not Revolution
Out with the old and in with the new. The rules relating to Data Protection are about to see the most dramatic change in years, if not ever, with the soon-to-be-implemented EU Directive 2016/679 also known as the ‘General Data Protection Regulation’ (GDPR).
With drastic changes on the horizon, Data Processers are inevitably starting to feel the strain as the May 25th deadline looms in the not-so-distant future. Besides the apparent never-ending changes necessary for a firm to be GDPR compliant, It’s widely accepted that the GDPR changes are positive for both business and Data Subjects. GDPR isn’t going to go away, as we’re regularly reminded by the latest ICO advertisements with the tag line ‘make data protection your business’. It’s clear that GDPR is here to stay, regardless of Brexit, so let’s explore what the infamous GDPR actually means in the real world.
Looking at the fundamentals in which the old and new requirements of Data Protection are stated, the principles do bare some resemblance to the current regime. However, the principles adopted within the current ICO guidance are to be replaced with ‘the rights of an individual’. The shift from ‘principles’ to an ‘individual’s rights’ really highlights the change in focus, with an embedded reminder to firms that personal data belongs to the individual, not the firm. At a glance, you could be forgiven for struggling to see the differences, as the rights bare more than a passing resemblance to the existing 8 DPA principles. However, when you look under the hood, the scale of the changes quickly becomes clear.
The new ‘right to be informed’ and ‘right of access’ aren’t necessarily revolutionary changes within the realms of UK Data Protection law, but they’re certainly changes which a firm can ill afford to ignore as transparency becomes the focus. Data Controllers must now provide an unprecedented level of information to consumers, meticulously detailing every organisation it shares personal data with; whilst also explaining the full journey that data will take during its lifecycle with a firm. This means the one and two-page Fair Processing Notices we’re all familiar with are now a thing of the past. To further enforce this transparency, the rules surrounding Subject Access Requests has also changed. Firms will have 30 days to comply with a request and will no longer be allowed to charge a fee for the privilege.
The shift in power is none-so more evident than in the creation of the ‘right of erasure’, ‘right to object’, ‘right to restrict processing’ and ‘rights relating to automated decisions and profiling’. All of these rules are designed to place control back into the hands of the Data Subject. It’s their data and now they’ll have the power to tell you how you can use it.
Even when moving away from the fundamental differences GDPR brings with the new rights, the changes just keep coming. The burden of responsibility no longer rests solely on the Data Controller but also the Data Processor, meaning that the increase in the potential fine which could be imposed runs parallel with the increase in accountability of all those that come into contact with personal data.
In certain circumstances, firms are now required to appoint a Data Protection Officer. Public bodies and firms which handle large amounts of both personal and sensitive (although under the GDPR this will be known as special category) data, will no longer have an option in the direct apportionment of their data protection responsibilities. This role will be required to report directly, and autonomously, to senior management; whilst also having a direct feed to Data Subjects through their details being shared in the firm’s literature.
Then we come to breach reporting. Following a string of high-profile data breaches, such as the Equifax case which continues to rumble on, the controls around the timescales to report a data breach have been revised. Where firms were once afforded the luxury to report breaches ‘in good time’, this has now changed to within 72 hours of becoming aware of the breach; although it is to be noted that this also has the caveat of ‘where possible’.
Despite the many changes referenced in this article, and the many more not referenced, there are three themes bursting out of EU Directive 2016/679: Control, Transparency and Accountability.
The GDPR is all about evolution, not revolution. It’s about building on the solid foundations put in place 20 years ago with the Data Protection Act 1998, and addressing the way that data is used in this ever-progressive technological world of ours. With the exponential rise in potential fines for non-compliance with Data Protection laws leaping from £500k to £17.5m or 4% of global annual turnover (whichever is greater), any firm would be crazy not to make ‘data protection their business’.
To learn more about GDPR and to ensure you are up to speed join us at our half day seminar in Leeds. You can also now download a GDPR Education Series and a Preparation Pack to ensure you're ready for May 25th.