What does the new EU General Data Protection Regulation mean for you?
A post by Kate Lewis, Head of Data Strategy & Projects at GBG.
On 17th December 2015, one of the EU’s most heavily lobbied pieces of legislation reached an epic milestone – after four years the negotiating parties agreed the text for the General Data Protection Regulation (GDPR). This law is expected to be passed by the Parliament and Council of the EU in early 2016, though a two year period for implementation has been discussed so it will most likely come into effect in 2018. The current proposal is something I’m fully in support of, but as the text can apparently be amended right up until a few hours before it is passed into law it’s worth keeping our fingers crossed that we won’t be thrown any curve balls.
As it stands, I believe that there is nothing in there that we shouldn’t all be trying to do today.
There was some discussion as to whether or not consent for direct marketing purposes needs to be explicit or unambiguous. The GDPR text states that consent must be freely given, specific, informed, and constitute an unambiguous indication of the data subject’s agreement to the processing of their personal data. Today, data is already collected in this manner, so cementing it is great news. For non-marketing purposes this should mean that any consent already gathered will still stand, so we can still use and benefit from historic data for purposes such as fraud prevention.
Much of the debate has been around data being used for marketing purposes, with many people forgetting the many benefits of sharing data with organisations like GBG. Organisations like us use this data for identity management purposes, and not only help to protect an individual’s identity but also provide value from the data exchange. As an individual, surely you’d be happy for your ID to be protected from fraud, or to be contacted regarding an asset you’d forgotten about or had been gifted in a will?
One of the key changes in the regulation is the increase in the amount that those who breach it can be fined, which can now be up to four per cent of global turnover as opposed to the previous maximum fine of £500k. Hopefully this will be a big deterrent for organisations and help to ensure they do the right thing – I’ve often heard people foolishly comment that “we’ll just budget for the fine as part of our campaign”.
There is a lot of media coverage regarding the changes, so I shan’t waste your time telling you anything you don’t already know (or can’t easily google!). At an event a few months ago we were told by some privacy experts that if you were compliant with current data protection legislation it won’t be too difficult to comply with the new regulations, and, based on the proposed draft, I have to say I agree with them.
For those of us who aren’t however, it’s time to get to work before it’s too late. If you need assistance ensuring your organisation is compliant, or simply wish to know more about what the proposed changes mean for you, please contact firstname.lastname@example.org.