The GDPR legislation was introduced in May 2018. Since then companies such as Google have been hit with hefty fines and there have been over 160,000 breaches. While most larger firms will understand GDPR inside out (and indeed have a data protection officer in charge of this) some smaller companies are still not fully up to speed and could be breaching GDPR without even realizing it. So what is GDPR? And three years from its introduction, why is it that so many people are still struggling with compliance?
What is GDPR?
On the 25th May 2018, the way personal data is collected, used, and stored changed. The General Data Protection Regulation (GDPR) superseded all existing data protection legislation, some of which was decades old and was certainly not designed for the avalanche of digital data that is used, shared, and stored today. The data protection legislation needed to change, and it was hoped that GDPR would protect and regulate how digital data in particular is used.
GDPR is a framework for laws that transcend international boundaries. As digital data knows no limits geographically, it was essential that any regulations governing its use adhered to the same criteria. GDPR was adopted by both the European Parliament and the European Council, and was rolled out in 2018. In the UK because of the Brexit vote, the government were allowed to make small changes to suit the UK’s needs, which led to the passing of the Data Protection Act 2018.
GDPR has a wide remit, but at its core is the collection, use, and storage of personal data. That could be anything from banking details through to a person’s date of birth – basically, it covers any information that can be used to identify an individual. Even things such as IP addresses and cookie identifiers fall under the ‘personal data’ catch-all. Certain information is given a greater degree of protection, such as a person’s ethnicity, political opinions, sexual orientation, or religious beliefs. Anything, in fact, that could be used to discriminate against an individual is dealt with more stringently under GDPR.
The seven pillars of GDPR…
GDPR’s seven principles read like a pledge of allegiance. They include lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality (security), and accountability. Out of these seven lofty ideals, only one is really new in any sense of the word, and that’s accountability.
The most common GDPR breaches businesses could be committing without realizing include letting staff use personal devices if data isn’t encrypted, paper materials including data that aren’t properly stored/disposed of, recording customer calls that include private data, or not having the correct unsubscribe options on emails. Nearly all of these misdemeanours fall under the ‘accountability’ category, although storage limitation and confidentiality, in particular, are also common culprits.
Data minimisation is a difficult one because it’s somewhat generalised in the GDPR wording. Organisations shouldn’t collect more data from users than they actually need to complete an interaction. So for example, a shop will not need to know your political opinions if you’re signing up to receive a regular newsletter. Likewise, an online retailer doesn’t need to know your sexual orientation or religious beliefs if you’re buying some online groceries. Overstepping the mark on data minimisation could cause businesses problems if the data they’re collecting could identify an individual.
The big problems, though, fall into the integrity and confidentiality category. How personal data is stored and used, and how widely it is shared is strictly regulated under GDPR. Failure to take full accountability for the safe storage and use of personal data is where many small businesses are falling foul of the regulations.
Under GDPR, personal data must be protected against ‘unauthorised or unlawful processing’. It also includes caveats for accidental loss, destruction or damage. So if someone leaves a laptop on a train containing a database full of personal information (and it appears to happen with alarming regularity these days), then the organisation can be held accountable for breaches under GDPR. The same applies if a business has left a ‘back door’ to their network wide open and allowed hackers to access personal information.
Put simply, to make sure they’re conforming to the GDPR rules, cybersecurity needs to be at the top of every business’ agenda these days. While GDPR doesn’t give out guidelines as to what good cybersecurity should look like, it does refer to those seven tenets and that’s a good place for any sized business to start.
Breaches can result in massive fines and, more worryingly, a substantial hit to a business’ reputation among customers. Organisations that suffer repeated breaches not only risk haemorrhaging money in fines, but they risk haemorrhaging customers too.
All of this boils down to ‘accountability’, and it’s something that businesses need to take seriously if they’re going to comply with both the Data Protection Act here in the UK, and GDPR generally (especially if they export or import, or trade overseas). If you’re not sure if your current business policies fall into place with the constraints laid down by GDPR, talk to a corporate law expert who specialises in GDPR and data protection today.