It is a big week for all things GDPR (General Data Protection Regulation).
Firstly Thursday sees us hit the 200 day milestone to GDPR Day (25th May 2018). This is the day when all businesses will be required to comply with new regulation.
Monday saw the announcement that the new Data Protection Bill will be put before Parliament after the summer recess. The will once and for all settle what will happen post Brexit. The Bill will to all intents and purposes transfer the GDPR into UK law as a part of the Brexit preparations.
So GDPR is going to happen. It is time to extract heads out of the sand and get on with preparations. 200 days is not long. This isn’t something that will only affect large corporations and the public sector all businesses need to prepare.
Let’s put the record straight on the reasons for GDPR. It is not to persecute businesses and make it harder to do business it is about making sure the massive amounts of data that are exchanged are exchanged in a way that protects the individual. And that individual could be you or me. Also nowhere in the GDPR have seen it say that something cannot be done. Things just have to be done in a way that protects you and me.
Let’s look at some of the reasons this regulation has be brought in.
- The current Data Protection act has not kept up with technology and the power of the internet. In 1995 when the current act was written there were 16m, 0.4% of the population. In March 2017, it was estimated that there were over 3.7bn people in the world using the internet, that is over 49% of the population. 3.7bn people create a lot of data. actually they create over 2 Exabytes of data a day. If that was stored on Compact Disks it would take more than 1.5 trillion. That surely has to be managed well.
- What we do on the internet has changed. in 1998 there was no such thing as social media for example. Also social media had changed. What started of a great communications device has morphed into a massive data generation tool used for all manner of analysis. We have become a commodity of the internet.
- There has been a lot of talk about the extended powers that will be given to the Information Commissioners Office (ICO). Yes the fines have been increased, largely this is to encourage businesses to do the right thing and not take the risk of being fined. Currently the maximum fine that can be imposed is £500,000. To a business turning over hundreds of millions of pounds a year, it may be worth the risk of a fine rather than spending the money on process and technology. Change that to between 2% and 4% of turnover or between €10m and €20m and the risk assessment may be a little different.
- Businesses will no longer need to register with the ICO, so that puts all business within scope. That has to be a good thing. No longer is it just large companies that can process massive amounts of personal data, it is as easy for a small or even micro business to have huge amounts of data.
- The rights of the Data Subject will be increased. The most publicised is that of the right to be forgotten. But that is not the only big change. Consent will require all organisations that collect Personal Data using consent to review and possibly change there processes. This could require website modifications and reprinting of paper forms. If you haven’t got this planned in yet it could be costly. I’m fairly certain that Web Developers will be in short supply in the early part of next year.
- Finally GDPR aims to simplify the understanding of Data Protection across Europe. There will be one regulation covering all 28 countries, rather than the current 28 different regulation.
If you want to get some idea of what you need to do to prepare, read some of my earlier blogs. I also offer one day course on implemented GDPR with the National Cyber Skills Centre. If you haven’t started yet your first job has to be to understand your data.
Image by Tnarlk Innael used under Creative Commons Licence