You may have heard or read in the news about GDPR, so what is it? How does it impact you personally? Why should you be excited about it?
What is it?
GDPR stands for General Data Protection Regulation. It is a European regulation which basically repeals the 1995 European Data Protection Directive of which the UK Data Protection Act 1998 was drawn off. GDPR will apply unilaterally across the EU from 25th May 2018. The UK will implement the GDPR into law and may call it the new Data Protection Bill.
Data Protection Act 1998 governs how organisations or government bodies use the personal information of individuals or data subjects. It includes strict guidelines on the security and privacy of the information collected and processed by the organisations.
Why is it happening?
The advent of new technologies like smart devices, social media, etc. has changed the way we use and share data with organisations. Facebook, Instagram, Twitter, LinkedIn, etc. are a gold mine for organisations who intend to gather data on individuals and market their products and services. DPA 1998 wasn’t designed to cover these aspects or any new smart technologies (like smartphones, Fitbits, etc.) that collect so much of personal data on us individuals. With the ever-increasing threat of cybercrime & data breaches impacting so many organisations, it’s become even more relevant to ensure the data security & privacy is taken more seriously by organisations that collect and process our personal data.
GDPR strengthens your privacy rights as individuals whose personal data is being processed by organisations, through:
- Allowing you to take control of your personal data giving you the right to be forgotten or erasure of your data from their systems
- Easier and free access to your own personal data held by organisations (by waiving the current £10 charge in the UK)
- Enabling parents or guardians to give consent on behalf of their young children for their data to be processed
- Easier process to move your data between service providers (e.g. mortgage lenders, insurance providers, etc.)
- Requiring you to give an explicit consent for processing of any sensitive data (e.g. data related to race, ethnicity, sexual preferences, etc.)
- Making it simpler to withdraw the consent for any processing of personal data and allow the right to object to processing for any purposes of automated profiling.
Organisations that breach the new Data protection Bill may be subject to steep financial penalties which could reach up to £17m or 4% of their global annual turnover, whichever is greater. That means organisations that collect personal data from individuals will need to put a lot more controls to ensure the security and privacy of the data. In addition, they will need to be upfront on why the data is being collected and what is it being used for or who it is being shared with. In many cases, take your explicit consent for when using it in a way that may increase the risk to privacy of your personal data. In short, be more transparent about the use and collection of our personal data.
For us as consumers, it’s a win-win situation as we get to take control back of our personal data. For businesses, there is a lot of work to be done to ensure our personal data gets the treatment it deserves.
About the author:
Tarun Samtani is a Cyber Security and Data protection practitioner helping SME’s and leading businesses build capability to deal with today’s challenges of increasing cybercrime and new data protection regulation. He has addressed global audiences at various conferences across Europe on these topics. Connect with him on LinkedIn or follow him on Twitter to learn more on cybersecurity and data protection topics. His eBook on cybersecurity will be released on Bookboon later this year.
In the meantime, have a look at this eBook on Information security for non-technical managers.