IN LAST month’s Leap 100 poll, 65 per cent of respondents said that they were “a little concerned” about the approaching EU General Data Protection Regulation (GDPR). In fact, only 12 per cent were “not concerned at all”.
GDPR is the new set of rules which are coming into full effect across the EU from 25 May 2018 – and that includes the UK, Brexit or not. GDPR will be directly applicable in the UK from that date, and the British government has made it clear that, even after Brexit, the UK intends essentially to keep GDPR in place, as British law.
Two of the key features of GDPR are an increased focus on transparency (telling people what you plan to do with their personal data), and accountability (recording what you are doing to comply with the law).
Other major themes include the concepts of “data minimisation” (only collecting and processing the minimum amount of data that you need for the purpose you are seeking to achieve), and only keeping that personal data for as long as is necessary for the purposes for which you are holding it.
In other words, it is made very clear that, while “big data” is seen as a good thing, even bigger data is not. On top of that, individuals have a number of rights – including the right to see their data, to correct it, to transfer it, and to delete it.
The other talking point around data collection is whether you need to get the person’s consent, and what consent means. Consent is one means of making processing lawful – but it will often not be the best way, and in many cases will not be the right way at all.
If you need to collect data in order to perform a contract – for example, you need my address to deliver my online shopping to me – you can rely on that. Similarly, if you have a legitimate interest in processing my data which does not interfere unduly in my rights, you can rely on that instead.
The final big issue is around fines. Under GDPR, fines for breach could hit the higher of €20m and 4 per cent of global turnover – but the UK’s information commissioner has been at pains to dampen concerns about that, indicating that much lower fines should be anticipated. Even so, a serious breach could lead to a very serious fine.
So what should businesses be doing now? In order to work out what you need to do to comply with the law, you need to have a clear view of: what data you are collecting; how you collect it; where you store it; why you hold it; what you do with it; how long you keep it; and how securely is it being kept. You can do that by speaking to the relevant people in your organisation and gathering your evidence. You can also undertake a review of the IT systems you are using to trace the data’s journey.
What you cannot afford to do is to assume everything is fine without further enquiry – 41 per cent of respondents to the last poll said that they had invested no capital in ensuring their systems are GDPR compliant. That’s a pretty worrying thought.