Alex Bateman, strategy manager at Virtual College, tells us what we need to know about GDPR
What exactly is GDPR?
‘GDPR’ is the new General Data Protection Regulation, brought in to replace the UK’s current Data Protection Act 1998. The GDPR will transform the way your information is used by organisations, businesses or governments. It is a Europe-wide piece of legislation and applies equally across all European countries. Even though the UK has chosen to leave the EU, the GDPR will still be adopted in full by the UK as of May 2018.
Why is it being introduced?
Current data protection regulations are now out-of-date and no longer fit for purpose, largely due to the rise of the Internet. More data was created over the last few years than in the entire history of the human race previously. The GDPR is an attempt to allow people more power over how their personal information is used and where it is stored. For example, it introduces the need for explicit consent when collecting and processing personal data.
Why do some people think it is important to bring it in?
There have been growing concern among consumers about the amount of data being collected about them, particularly behavioural retargeting. In the US, up to 30% of web users use adblockers. Combined with some high profile breaches, 143 million Equifax customers recently had their data compromised by hackers, regulators in Europe thought it was important for individuals to be able to control what information about them is stored and how that personal information is used.
What impact will it have on British companies?
Any individuals, organisations or companies who are ‘controllers’ or ‘processors’ of personal data will be impacted by the GDPR. If they’re currently subject to the Data Protection Act, it is highly likely that they will be subject to the GDPR. The GDPR helps to ensure businesses which process personal data do so responsibly – companies will be more accountable for their handling of people’s personal information. Businesses must have additional safeguards in place when transferring data outside the European Economic Area (EEA). Every business that offers products or services to EU citizens or handles their data will be affected. This includes businesses based outside of the EU.
What happens if a company fails to comply?
The current sanctions available to regulators for non-compliance have been greatly expanded. Organisations could be fined up to €20 million or 4% of global turnover, whichever is greatest. Possibly even more troubling is the ability for regulators to impose limitations and restrictions on the breaching party’s ability to process data. Imagine Amazon not being able to take payments through their website or Uber being unable let your driver know your location!
Will Brexit affect GDPR?
As far as I can tell, no. Even though the UK has chosen to leave the EU, the GDPR will be adopted in full by the UK.
Will it have the same impact whatever the size of firm?
It will impact firms regardless of size if they collect, store or handle data. If there are any breaches of the GDPR, the fines will be based on the severity of the breach vs the ability to provide evidence of compliance.
This means if you are not already planning for May you need to start now. We’ve created a free overview that explains the changes that you need to be aware of as a risk owner. You can find the overview and loads of other GDPR resources at https://www.virtual-college.co.uk/gdpr