General Data Protection Regulation
The General Data Protection Regulation comes into force on 25 May 2018. It tightens up and strengthens the protections for individuals, when it comes to their personal data, which have been in force since the Data Protection Act was passed 19 years ago.
In Britain, we are often confused by the subject of data protection. Many people are willing to publicise on their social media to the world at large their name, address, what they look like, what their interests are, what their political leanings are (when for example they approve or disapprove of something Donald Trump has done), who their friends and relations are, what their interests are, what their political persuasions are and so on. However, they are then invited to be concerned about the disclosure of personal details such as their address, which they may regard as being public knowledge. The impetus for the new European Regulation has come from mainland Europe where many people and politicians see things differently and are much more concerned than us to protect privacy and to prevent snooping. Businesses here which wish to comply with the new regulation will need to change their mind-set to one which is much closer to that private, even shy model.
In doing so, companies will have to treat the holding of data rather like the handling of nuclear fuel: any business which holds the nuclear material will need to hold as little of it as possible, look after it carefully, make sure that they keep it under lock and key, transport it safely, and get rid of it as soon as they can.
The new regulation is about evolution not revolution. It builds on best practice under the Data Protection Act, and businesses which already comply with the Act will find it a short step to compliance with the regulation.
One of the new principles introduced by the regulation is an accountancy principle which states that businesses will need to create an evidential trail showing what they have done, so that they can demonstrate compliance if they are asked to.
As before, the regulation covers personal data, which is information of any kind (including name, address, a photograph or a sound file) about a living individual who can be identified. Under the regulation, it will now include information such as metadata and cookies which only a computer can see.
A business must have a lawful basis for processing data. This may be the consent of the data subject, i.e. the person the data is about, but there are five other grounds which do not require consent. These include that it is necessary for the performance of an employment contract with the data subject, which covers the holding of personnel files just as now.
There has been significant publicity about the increase in fines for non-compliance. Under the Data Protection Act, they are currently £500,000 or 1% of national turnover. That will rise to €20 million or 4% of global turnover. These warnings are likely, however, to have been overdone. In the UK, our regulator is the Information Commissioner's Office. The ICO generally issues warnings, reprimands and corrective orders instead of giving fines, and in fact fewer than one in 1,000 of their concluded cases recently has resulted in a fine. Even with the massive data breach affecting TalkTalk, the ICO has never given out a maximum fine.
There is still time for businesses to get their ducks in a row by 25 May 2018. They will, however, need to change their approach to data and to get a move on if they are to be ready in time.