The purpose of the GDPR
The way we use data has significantly evolved since the last Data Protection Act came out in 1998. The General Data Protection Regulation (GDPR) therefore has been designed to protect the privacy of you and I today, and in the future.
To understand the reasoning behind the GDPR, you must understand the value of your personal data in today’s digital world and the likelihood of it becoming public data.
In 2016-17, according to a UK Government report 46% of UK companies suffered a data breach or cyber attack, causing financial loss and repetitional damage. However the unfortunate truth is that many companies only discover a data breach when it’s published by the attacker, which often highlights to the public not only poor security measures in protecting the data, but also the excessiveness of data that was being used by the company.
Three great examples:
- Equifax, a US credit reference agency, were hacked in 2017. Just under 700,000 records of UK citizens were amongst the hack, none of whom gave permission for the US firm to process their data. Equifax have since been investigated by UK authorities to establish why the highly sensitive personal data of UK citizens was being processed by the US firm.
- The whistleblowing event between Facebook and Cambridge Analytica in March 2018. Whilst this wasn’t a data breach, it highlighted how a company exploited a loop-hole in Facebook’s platform and illegally gathered data on 50 million users to be used in political campaigns.
- Information is beautiful has created a visualisation of the quantity and severity of data breaches on over the last decade. There’s a high chance you will have been included in some of those data breaches.
Finally, if you’re still not convinced, pop your email address into https://haveibeenpwned.com to see if you’ve been included in a data breach (I have. Several…).
These breaches often highlight the unlawful, excessive and insecure processing of personal data. Data protection is about addressing the risks in companies in order to preserve the rights and freedoms of us. The GDPR has been designed to stop this kind malpractice by setting rules that focus on protecting the privacy of people.
Who’s affected by the GDPR
All companies, self-employed people and public bodies who are established in the EU, process personal data in the EU or those outside of the EU that provide services to EU citizens. This applies whether or not payment is required between the company and the individual. So in short: everyone is affected by this.
Although the GDPR has been set out by the EU, the UK are adopting this regardless of Brexit. The Information Commissioners Office (ICO) is the UK body responsible for interpreting the EU law and overseeing it’s implementation in the UK. They are the guys who may come knocking on your door when something goes wrong.
Current status of the GDPR
The GDPR comes into force on 25 May 2018. However, there are still gaps in the law and guidelines being refined (you’ll see this this page by the ICO being updated monthly). Therefore is it not possible to become GDPR compliant just yet. Even when everything is refined it will be hard to confidently be 100% compliant as many parts of the law are subjective due to all companies being different.
Instead, what we can do is become as ready as we can. Incorporate the core principles of the GDPR into your culture (more on this later) and establish a clear picture of how data is used inside your company.