General Data Protection Regulations 2018 – Samantha Simms, global privacy officer, CWT
Hardly a day passes without an article in the press about misuse of personal information, whether that be a hack by bad actors, an organisation losing personal information or someone asserting their right to keep their information private.
Data privacy is of significant importance in today’s digital economy. The ubiquitous use of personal information in the borderless digital world brings opportunities to organisations and individuals. Organisations benefit from increased efficiency by knowing the users of their services better and tailor marketing offerings to a particular ‘sweet spot’ and individuals have swifter and personalised user experiences.
This is why they say data is the new oil but it is also the new asbestos. I prefer the more positive saying that “data is the new gold and we are the gold miners”. Like the gold miners we can make great use of personal information but we must also collect it in a way that’s not damaging. There are more than 100 data protection laws in place across the world, but this one is certainly the new global trendsetter.
The GDPR takes full effect on 25 May 2018. It replaces the existing Data Protection Directive at European Union level and the patchwork of data protection legislation in each country at a more local level. This means harmonisation in Europe through one law across the entire region.
And what about Brexit? The GDPR will apply to anyone doing business in the EU or more broadly to anyone handling data belonging to EU residents. This is one piece of law that will avoid the Brexit effect. To confirm the GDPR’s status in UK law, the government has recently announced it will introduce a law equivalent to the GDPR at a minimum.
The GDPR introduces an accountability based framework for handling personal information. This new law has some serious teeth. Failure to comply could result in a fine of up to €20M or 4% of an organisation’s annual turnover, whichever is greater.
Under the new rules consent must be clear, affirmative and unambiguous. The pre-filled tick box/opt in is no longer permitted. Users must be fully informed of how their information is going to be used and why. This includes knowing the third parties and third countries receiving the information. The GDPR also requires organisations to notify authorities of a data breach within 72 hours of identification.
This is a lot to deal with isn’t it? Well yes and no. The GDPR is designed with new technologies and processes in mind. Remember I said data is the new gold and we are the new gold miners? Data mining/data science initiatives are one of the key drivers for the GDPR. The same can be said for social media and personalisation through digital tools. The use of data in this way is a growing industry that many organisations are seeking to tap into. The GDPR has been designed to specifically address the need for data privacy legislation in the digital era, and the GDPR brings some clarity to what many consider a complex topic.