Next month GDPR comes into force. It is a piece of European legislation that the UK will retain after Brexit. It is intended to give people much more control over who has access to their personal data – and, ultimately, to give the “right to be forgotten.” But will it really make a difference? Or is data just the price we pay for living our lives?
Let me start with a simple question: what is significant about Friday, May 25th this year?
Ten months until Brexit? More or less. Three weeks until the World Cup? Five weeks before England go out on penalties? I suppose so…
More specifically Friday, May 25th is the day when GDPR arrives. What is GDPR? It stands for the General Data Protection Regulation, a piece of European legislation which comes into force five weeks on Friday and which will affect everyone in the UK. And yes, even though we are scheduled to leave the EU in March 2019, GDPR will be adopted as UK law.
The impact of GDPR
GDPR will impact everyone – whether you run a business, or you are a customer of a business, you will be affected by GDPR. It will replace the 1998 Data Protection Act as the piece of legislation governing how personal data is used and stored in the UK. Essentially the EU wants to give people back control over their data. If a business handles employee and/or customer data then it will need to comply with GDPR – and woe betide any companies who do not do that. GDPR will be enforced by fines for non-compliance, with industry experts predicting that the fines will far outstrip those currently imposed for breaches of the DPA.
The impact on individuals
It has famously been said that “data is the new oil.” The phrase was coined by Clive Humby, the man behind the Tesco Clubcard, in 2006 and to some extent it is right. Data has become the price we pay for using the internet: Google is not free, we pay with our data.
GDPR is unquestionably going to make people more aware that they are ‘paying with data’ and the attendant publicity will focus people’s minds on privacy, and the question of data breaches.
Obviously, that is hugely in the news at the moment. Facebook has just seen $58bn (£41bn) wiped off its value over the Cambridge Analytica data breach and, if you read the papers this morning, Russia is about to launch a series of crippling cyber-attacks on the UK.
So will GDPR make people more protective of their data? Quite clearly if you do not give any data away Facebook cannot lose it and the Kremlin cannot use it. GDPR will also – in theory – give people “the right to be forgotten.”
What exactly does that mean?
When GDPR comes into force we, as customers and consumers, will have to explicitly give our consent for our data to be captured and used – but the GDPR regulations also make it clear that this consent can be withdrawn and revoked at any time.
Broadly speaking, we can ask an organisation to remove or delete our data when they have no compelling reason to hold it. For example, if I move my gas and electricity from supplier A to supplier B, then supplier A has no need to hold on to my details – name, address, payment history and so on – and I can ask for it to be deleted.
In these cases, the business concerned must ‘take all reasonable steps’ to comply with my request and must do ‘without undue delay’ – generally held to be within a month unless specific circumstances make that impossible. If the company has shared my data with other companies – the so-called ‘trusted partners’ we all tick the box to avoid – then it must also notify those companies of my request.
What does GDPR mean for companies?
As we mentioned above, the penalties for non-compliance with GDPR are going to be significant. You can certainly expect to see some high-profile examples of fines being levied on household names.
Companies will not get any leeway over the May 25th deadline, so do not be surprised if you receive plenty of e-mails over the coming weeks to say ‘our terms and conditions’ are changing.
But will anything really change?
I am old enough to remember when proving your identity became a necessary part of getting a job. There was widespread grumbling and plenty of anecdotal stories of people refusing to supply the identity.
Gradually though, people realised that if they wanted a job they had to supply ID – and today, no-one bats an eyelid at a request for a passport or a driving licence.
I suspect that what will happen is that the period after May 25th will see companies inundated with the requests to remove data. It will also see people being much more aware that they can withhold data and deciding to do so.
But we live in a world that is dependent on data. In 2006 ‘data was the new oil’ because it was going to be so valuable. Today, data is the new oil in the sense that it keeps the engine running. I could not manage my life or my business without the internet and if giving up some personal data is the price I have to pay for that, then I have no choice other than to pay that price.
Most people are in the same boat. If you want a new job and you go through an employment agency then they are not only going to want your passport as ID, they will ask for your education and employment history. Depending on the job you apply for, credit checks might be involved. The simple fact is that data now has to be shared for our lives to work.
GDPR will give you the right to control your data to some extent. But if you want to continue living in the 21st Century then, in the long run, sacrificing some data will be the price of that.