The General Data Protection Regulation (GDPR) brings data protection into the 21st century. The Regulations update legislation, protecting personal data for modern living.
What is the GDPR?
The result of years of planning, the GDPR was drafted by the European Union (EU) to update data protection for the way we live.
The GDPR replaces the Data Protection Act 1998 in the UK. It means that organisations have more obligations in how they handle and protect personal data:
Giving people more control over their data, there are tougher fines for companies that do not comply or who suffer data breaches. Regardless of size, organisations need to comply if they process personal data.
The Regulations are far reaching. They apply to companies who process personal data within the EU, as well as global businesses that offer goods and services to individuals in the EU.
At a glance:
- GDPR came into effect on 25 May 2018
- The Regulations ensure consistency across the EU
- UK companies will still need to comply post-Brexit
- In the UK, the Information Commissioner’s Office (ICO) is responsible for enforcing it
- Organisations can be fined up to 4% of annual global turnover or €20 Million (whichever is greater)
Why do we need it?
With the increase in connected devices and social media, we share more personal data online than ever before. We are used to granting permission for our personal information to be shared or stored when we browse, shop and connect to apps.
Global tech firms like Facebook, Google and Amazon offer their services for free in exchange for user data. However, data breaches have occurred with millions of Facebook, LinkedIn and Yahoo
In addition, the Regulations provide clarity to businesses on how they can use data, and what is compliant. Companies are encouraged to reshape the way they approach data privacy. Compliance is not a ‘tick box’ exercise, but an ongoing journey and obligation to data security.
What does it mean for the data industry?
Individuals are empowered by the Regulations, and rightly so. People can hold organisations to account, and have more control over what they do and don’t allow. As people become more aware and concerned over their data, they can withhold consent, submit a subject access request or even delete their information altogether.
These shifts mean fundamental changes for the data industry, who must demonstrate compliance in line with the rights of the datasubject.
What about Brexit?
Even after the UK leaves the EU, the GDPR will still apply. The Data Protection Act (DPA) 2018 has now received Royal Assent, with the government maintaining the principles of GDPR.
This new data protection bill replicates the requirements of GDPR, ensuring consistency when we leave the EU. Businesses that are compliant with the GDPR should also be compliant with the DPA 2018.
“Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU.”Matt Hancock, Digital Minister
It’s possible that a future government could change the law. Yet any UK company who wants to trade with EU countries will need to follow the Regulations, much like the US does now.
The UK wants to build an enhanced data protection framework, which goes beyond the ‘adequacy model’ defined by the EU. This will allow the free flow of personal data between the UK and EU, essential for trade post Brexit.