A win for personal data security: What reforms mean for you and me
After several years of intense political debate within the European Commission, there’s been a reboot of data protection laws across all 28 EU member states with the introduction of the EU General Data Protection Regulation (GDPR), which was adopted in May 2016 and comes into full force on the 25 May 2018.
So will personal data become much safer as a result?
That’s the intention. There are three fundamental aspects to the GDPR:
- it fundamentally redefines how personal data has to be collected and stored
- it imposes a raft of new duties and responsibilities on organisations processing personal data
- it obliges large and specialist organisations to appoint a Data Protection Officer (DPO) to be responsible for complying with the GDPR.
‘Personal data’ means any information relating to an identified or identifiable person (the ‘data subject’), including their name, identification number, location, online identifiers or any factors relating to their physical, physiological, genetic, mental, economic, cultural or social identity.
In 2016, we witnessed the highest ever number of personal data breaches and the problem is spiralling out of control. And even post-Brexit, the GDPR will apply.
But what will it mean for you and me, in practical terms?
According to Ardi Kolah, Co-Director of Henley’s GDPR Transition Programme, ‘The core principles of the GDPR are fairness, lawfulness and transparency. Applying these principles means that organisations will need to be much more specific about getting consent from all of us.
‘You’ll be asked to opt-in to allow them to use your personal details and the request will have to be in plain English, and separate from the standard terms & conditions, not buried within them. Particularly sensitive information – such as biometric, genetic, medical or financial data – will be classified as “special data” and will require an even higher level of care and explicit consent.
‘Organisations that comply will be accredited with a mark and seal to show their adherence to the GDPR and, from a consumer protection perspective, these will become “hygiene factors” that we’ll all be looking for on websites and other channels to distinguish such organisations as being responsible and trustworthy.
‘Given that there will be much greater consistency in the EU Regulation right across the EU area, it will also be much easier to make a complaint. However, in most cases, the organisation will probably be ahead of you and will do all it can in its power to avoid punitive fines as high as 4% of global annual turnover or €20m, whichever is greater.
‘All large or specialist organisations must appoint a DPO and that senior manager must report any personal data breach to the Supervisory Authority within 72 hours or face another raft of sanctions. So no sensible organisation is going to risk falling foul of the GDPR,’ observes Ardi.
There are still a number of uncertainties, including the time period for which a person’s consent is valid. This really depends on the circumstances but it could be as short as six months, which means that organisations will need to obtain consent from their customers, clients and supporters on a frequent basis in order to continue to process their personal data rather than assume that consent continues ad infinitum.
So is there a downside?
‘The GDPR doesn’t extinguish the need for individuals to protect their own personal data and to take sensible precautions in that regard’, warns Ardi.
‘Most people are blissfully unaware that the metadata within the content they post on social media reveals their location, and you still shouldn’t put your bank statements in the recycling bin without shredding them first!
‘The only downside is that you might well notice an increase in the number of requests for your consent, but it’s important to remember that you’re now firmly in control of your own personal data and hopefully better protected as a result,’ he concludes.
To find out more about the Henley GDPR Transition Programme, visit: henley.ac.uk/gdpr