Since the emergence of the Data Protection Act (DPA) in 1998, there has been a strong focus on legislation surrounding how personal data is handled and protected. In just over a year's time, it's successor of sorts - the General Data Protection Regulation (GDPR) - will be enforced on the 25th of May 2018.
This new regulation adopted by the European Commission is understandably drawing a lot of attention across the world of business, with many organizations well under way in their strategic preparation to comply with it, as catastrophic fines await those fail to meet compliance.
However, don’t panic if you haven’t yet initiated your preparations. There is still time, though you need to act quickly. This article will provide a brief overview of GDPR - what it is and why it is of great importantance - covering some key aspects that need to be considered and tackled to ensure best preparation.
GDPR is a new extension of EU data protection law, set to be imposed on the 25th May of 2018. The aim of this regulation is to unify and simplify the protection and privacy of personal data and how it is handled by companies within the European Union. For those thinking Brexit will exclude the UK from having to comply, think again. GDPR is undeniably coming to the UK.
The DPA (1998) enforced almost 20 years ago also controlled the way personal information is used by organizations, businesses, and the government, stating that everyone responsible for using data has to follow strict data protection principles. So how does GDPR differ?
There are a number of fundamental differences between DPA and GDPR. Consider marketing; under GDPR, organizations can no longer rely on negative opt-ins. Marketing communications need to clearly display time-limited opt-ins in plain language, while also providing the option to opt-out and object to profiling. GDPR also affects data transfers. For example, if you are a marketer working on a campaign, you may have typically emailed yourself a list of customer names through an email provider such as Gmail. This action would violate GDPR’s privacy principles, as Gmail is a cloud-based provider and from a privacy perspective it is the same as performing an international data transfer outside the list of white-listed countries.
Definitions of Personal Data have also changed under GDPR. The DPA included four main categories of personal data: information processed electronically, information processed by non-automated means forming part of a filing system, information forming an accessible record (health / educational records), and information held by the public authority. This will expand under GDPR to incorporate the Internet of Things (IoT) and locational data, meaning the pool of data requiring management has grown significantly.
With the growth of both data volumes and complexity in recent years, there have and continue to be rapid advancements in data storage, manipulation, and analysis technologies. Being successfully compliant now requires the constant adaptation of data protection to new technological and big data developments.
Finally and most importantly, sanctions will dramatically increase under GDPR. Currently under the DPA the maximum fine an organization can face for breaching a data protection principle is £500,000. Under GDPR, sanctions have been broken down into 2 types of breaches; these include fines for personal data breaches and administrative breaches. Any breaches to these principles will result in an organization being fined up to €20 million or 4% of their previous year's annual turnover, whichever the greater. It’s not just fines that can be enforced, GDPR can also subject organizations to enforcement orders and undertakings.
While these are only a handful of key differentiators from the existing DPA, its clear GDPR cannot be ignored and preparations need to begin immediately.
GDPR will apply to every public and private organization, including sub-contractors, who process the personal data (employees, customers, prospects, etc.) of EU citizens. In short, if you are an organization that deals with any type of personal customer data within the EU, GDPR will affect you.
There are a variety of methods and plans that can aid your preparation in being ready to comply with GDPR. Hopefully this section will provide a helpful overview of useful practices that can be undertaken to ensure your preparation sets off on the right foot.
Initially it's important to reflect on where you are now and what you already have. A phased assessment of your current situation is a suitable way to begin your preparation. This assessment should include a full review of your existing data architecture and everything from declarative information, technical data and documentation to ensure that you are fully aware of your current data governance umbrella. This can then help you identify what personal data needs to be incorporated into your data management strategy. For example, given the addition of the Internet of Things to the expanded definition of personal data, it’s important to consider how social media data is processed by your company and how this is managed.
Following this, based upon your current situation and the priorities identified you can begin to put together a gradual definition of a digital transformation plan. An effective data management and governance strategy is essential here and should lie at the heart of all activities. It’s therefore advisable to draw up an architecture roadmap that’s both aligned with the business strategy and also in conjunction with best practices.
Finally, a fundamental practice throughout is change management. As part of this, senior management need to be involved from day one. Sponsorship, decision making, and prioritisation are key for any plan to be executed successfully and for change to happen. All of these processes commonly lay with the senior decision makers, and as a result it’s essential to have them on board from the beginning.
Having on-boarded senior management, clear control gates and sponsorship approval should be a regular feature throughout each phase of the transformational plan. This will ensure the smooth running of the plan from start to finish.
While there is so much more to GDPR than the simple practices described in this article, they can be useful in helping you get started.
If you would like to learn more about GDPR and have in-depth overview of how to be best prepared with practical examples, watch our GDPR webinar