Data – the information companies hold on us – has been dubbed ‘the new oil’ because it is so valuable. From next year, the EU will introduce a tough new regime for the collection and protection of our data: the General Data Protection Regulation. So far, very few people are aware of it…
Let me begin by asking you two questions. Firstly, have you ever looked at something online – a shirt, a new bathroom tap, maybe a holiday – and then found that you have been ‘stalked’ round the internet by ads for shirts, tops or holidays? And secondly, do you know the significance of May 25th, 2018?
Everyone reading this post will answer ‘yes’ to the first question. Unless it is your birthday or your wedding anniversary, I would wager that almost no-one will appreciate the significance of May 25th next year.
Friday, May 25th next year is the date on which the General Data Protection Regulation (GDPR) – described as ‘the most lobbied piece of legislation in history’ – comes into force. It is being introduced by the European Union and is intended to ‘strengthen and unify’ data protection for all individuals within the EU. Formally, ‘it will radically overhaul the relationship businesses have with personal data through a raft of new obligations and consumer rights.’
More simply, it is intended to give EU citizens back control of their personal data and simplify the regulatory environment for international businesses. And the EU is serious: the General Data Protection Regulation will be enforced with draconian fines which have the potential to put companies out of business.
We have written previously on this blog about a 20th Century taxation system failing to cope with a 21st Century economy: about a 20th Century high street failing to cope with 21st Century retail. Now, it seems, we have 20th Century data protection failing to cope with 21st Century data collection.
First things first: what is data?
Last year Intel chief executive Brian Krzanich made a controversial statement: “Data is the new oil.” What did he mean by that? He meant that the information companies hold on us – on our buying habits, our income, our family background, our social opinions – is extremely valuable, and it will only go on increasing in value.
Every time you interact with companies like Google, Apple, Facebook, Microsoft and Amazon you give away personal data: because these companies are providing us with a service we are happy to provide that data. In fact, we give the data away without even thinking about it. But companies store and use that data – look at the way Amazon suggests books or products, for example. So far, the rules governing the collection, use and protection of our data have been haphazard: now the EU is looking to do something about it.
Why is this measure being introduced?
Simply put, because the EU wants a standard system of collecting and protecting data across Europe, giving all EU citizens the same rights. At the moment some countries – Germany and Estonia are the ones most often quoted – have very stringent laws; other countries give the individual citizen far less protection, with the relevant legislation changing as you cross borders.
People will now have the right to know what data is held about them, how it is used and they will also have the right to correct errors.
What does the General Data Protection Regulation mean for me?
In theory, it is good news: you will get back control over your personal data and you can enjoy ‘the right to be forgotten.’ The EU and advocates of GDPR say this can only be a good thing. But in practice, who has the time? And besides, we like Facebook, Google and Amazon. They are an integral part of our lives: the UK population has embraced a new way of shopping and a new way of finding information: I doubt that we are going to change, irrespective of how much data we give away.
What does it mean for business?
The implications of the General Data Protection Regulation for business are huge, with fines of up to €20m or 4% of your global turnover, whichever is the greater. As a comparison, the largest fine imposed so far for breaching the UK’s Data Protection Act is the £400,000 imposed on Talk Talk in 2016 – and there are plenty of suggestions that the EU will want to make a high profile example of someone to quickly drive home their message.
Just this month the Greater Manchester Police were fined £150,000 by the ICO after footage of interviews got ‘lost in the post’. Proving that the ICO has no problem baring its legislative teeth.
Companies simply cannot ignore GDPR. It is a European directive: there is no consultative period and it is law from May 25th next year.
There is not the space here to outline all the measures businesses will need to take, but in summary form, the key measures will be:
- They must delete records when asked by candidates, employees or clients (the so-called ‘right to be forgotten’)
- Any data they hold must be ‘freely given’ (this will mean that companies offering free services, such as Wi-Fi access, in exchange for your personal information will no longer be able to force you to ’tick a box’ and hand over your details if you want access)
- They must allow candidates, employees or customers to see any records they hold – including any notes they have added, and in an ‘easily readable’ format
There are also security and reporting implications for companies:
- They must be able to demonstrate that they took steps to include security when they designed their systems, such as CRM, a web platform or internal storage systems
- They must inform the Information Commissioner within 72 hours if they suffer a security breach or cyber-attack. Companies will no longer be able to keep quiet for fear of embarrassment and/or losing customers
- Companies must employ a Data Protection Officer – although so far it is unclear if this means a full-time specialist, or one of their own staff being specifically trained to regulate the company’s use of data, effectively becoming a Data Compliance Officer
These rules will apply to all companies with more than 250 employees: however, businesses under that level must also comply with GDPR if ‘there is a risk to the rights and freedoms of data subjects.’ In practice, all businesses of whatever size would well be advised to comply with GDPR – although so far 84% of UK SMEs have not even heard of GDPR.
Will Brexit affect GDPR?
Not immediately: however the exit negotiations are proceeding, we will still be members of the EU in May next year. After that, says Karen Bradley, Secretary of State for Culture, Media and Sport,
“The government will look how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
More succinctly, Digital Minister Matt Hancock has said that the UK will replace the 1988 Data Protection Act with legislation that mirrors the GDPR post-Brexit.
GDPR will still apply to citizens of the EU and their rights to be protected under the new laws, which means companies across the globe will need to strongly consider their adherence from June next year.
So individuals and businesses may as well get used to GDPR: Brexit is very unlikely to bring any significant changes to the legislation.
Unquestionably, the General Data Protection Regulation will bring hefty fines for some household name businesses. It will impose a significant burden one many smaller business. But in theory, it will put the rest of us in control of our own data. Will we choose to exercise that control? Or will we carry on letting Amazon suggest what book we should read next…