What does the new EU General Data Protection Regulation mean for you?

A post by Kate Lewis, Head of Data Strategy & Projects at GBG.  

On 17th December 2015, one of the EU’s most heavily lobbied pieces of legislation reached an epic milestone – after four years the negotiating parties agreed the text for the General Data Protection Regulation (GDPR). This law is expected to be passed by the Parliament and Council of the EU in early 2016, though a two year period for implementation has been discussed so it will most likely come into effect in 2018. The current proposal is something I’m fully in support of, but as the text can apparently be amended right up until a few hours before it is passed into law it’s worth keeping our fingers crossed that we won’t be thrown any curve balls.

As it stands, I believe that there is nothing in there that we shouldn’t all be trying to do today.

The legislation states that when an organisation is processing personal data there should be a Fair Processing Notice (FPN) readily available (this is often termed a Privacy Policy). It should be provided in the same medium as the data was obtained, e.g. when an individual makes an enquiry or makes a purchase online, and the FPN should be easy to find on the organisation’s website – with further opt-in details collated at the point of data collection. A compliant FPN will describe to an individual clearly where and how their details will be used, and the information must be provided concisely, in a transparent and intelligible way, and be easily accessible using clear and plain language. This is something that should already be happening today, but we expect the rules to be tightened so that consumer consent terms are no longer buried in lengthy terms and conditions.

There was some discussion as to whether or not consent for direct marketing purposes needs to be explicit or unambiguous. The GDPR text states that consent must be freely given, specific, informed, and constitute an unambiguous indication of the data subject’s agreement to the processing of their personal data. Today, data is already collected in this manner, so cementing it is great news. For non-marketing purposes this should mean that any consent already gathered will still stand, so we can still use and benefit from historic data for purposes such as fraud prevention.

Much of the debate has been around data being used for marketing purposes, with many people forgetting the many benefits of sharing data with organisations like GBG. Organisations like us use this data for identity management purposes, and not only help to protect an individual’s identity but also provide value from the data exchange. As an individual, surely you’d be happy for your ID to be protected from fraud, or to be contacted regarding an asset you’d forgotten about or had been gifted in a will?

One of the key changes in the regulation is the increase in the amount that those who breach it can be fined, which can now be up to four per cent of global turnover as opposed to the previous maximum fine of £500k. Hopefully this will be a big deterrent for organisations and help to ensure they do the right thing – I’ve often heard people foolishly comment that “we’ll just budget for the fine as part of our campaign”.

There is a lot of media coverage regarding the changes, so I shan’t waste your time telling you anything you don’t already know (or can’t easily google!). At an event a few months ago we were told by some privacy experts that if you were compliant with current data protection legislation it won’t be too difficult to comply with the new regulations, and, based on the proposed draft, I have to say I agree with them.

For those of us who aren’t however, it’s time to get to work before it’s too late. If you need assistance ensuring your organisation is compliant, or simply wish to know more about what the proposed changes mean for you, please contact

.red { fill: #b0013a; }