General Data Protection Regulation – how bad can it be?
Working as a GDPR solution provider, this is one of the questions that often comes up in initial meetings with our customers. For those of us who lived through the Y2K panic, it is easy to draw parallels between the two storms and hope that GDPR amounts to an equally damp squib as the millennium bug. The difference is we know more this time – with Y2K, every apocalyptic scenario seemed possible and, however unlikely, there was always a sliver of a chance that aircraft would fall from the skies and ATMs would spit notes out, while back end systems added and removed zeros to bank balances. Nothing that dramatic will happen with GDPR…will it?
In theory GDPR is simple – check that the data you are holding is legal and secure and you’re good to go. If it isn’t legal and it isn’t secure, then you could be in a spot of bother come the 25th of May 2018. Of course, nothing is ever that black and white, especially as we are talking about close to 90 pages of legal text containing 99 separate articles. So, there are plenty of interpretations to consider, but that shouldn’t stop you making a start by understanding where your issues are, what you need to tackle and in what order.
A Compliance Journey
To help you with this, I will be leading you on a journey over the next two months, tackling a new area each week to help you understand what needs to be done to comply with GDPR, prioritise your efforts and implement it.
With a little focus, next time the board ask if you have GDPR sorted, you will confidently announce ‘it’s all in hand!’
So, let’s get started with five GDPR basics before tackling the first of eight sections…
- GDPR will be law in the UK in May 2018; Brexit has no effect on this as the UK will still be in the EU on that date. The UK Information Commissioner has already stated that the UK will be adhering to it and, regardless, the ‘Great Repeal Bill’ is set to enshrine existing EU legislation into UK law, ensuring that GDPR stays on UK statute books, even after leaving the EU.
- It is a lengthy piece of regulation containing 99 articles (or stipulations) which need no local adaptation. It will be applied equally across the EU to ensure consistent handling of data, but must be adhered to anywhere in the world where EU resident data is being processed
- The data being protected is what is called Personally Identifiable Information (PII) belonging to any EU resident. Think of any data that can be used to identify an individual such as address, phone number, credit card, national insurance number. The regulation is attempting to rein in and secure the processing of any PII belonging to an EU resident – the term processing is used to cover any function applied to the data such as storing, analysing, modifying etc.
- Consent is key to compliance with GDPR. An organisation must make sure it has the explicit consent of an individual to process their data. Additionally, the individual has many more rights than in the past – they can ask for data held to be reported on, they can ask for it to be changed and they can even ask for it to be removed (right to be forgotten). Organisations need to be ready to respond to any of these requests
- The penalties for non-compliance are heavy – the regulations articles carry different weights, but depending on which were breached, organisations can be hit for up to €20 million or 4% of annual global turnover
Starting early next week, we’ll start to explore where to look and what to address to comply with a fundamental principle of GDPR, Legality and Consent. We’ll continue this journey together on weekly basis for eight weeks.
Any questions about this article or any other GDPR topic, please contact firstname.lastname@example.org
Graeme Riley is an experienced Global CIO with extensive experience in IT Security and Data Protection. He is currently a Director at Intersys Compliance Ltd.