GDPR: What do you really know?
You may have heard of it and seen the numerous stories that are causing panic across an industry who are still scratching their respective heads and wondering, “What do we do?”
Enforcement is nigh
So, in this month’s column, I’m tackling a subject that affects individuals, businesses and companies alike in Europe and possibly the UK (since Brexit may well change a few things, but I’ll come back to that topic in a moment). Essentially, unless you’re a Mark Zuckerberg harvesting private data en masse and sharing it with third parties (allegedly) then you should be alright!
The General Data Protection Regulation (GDPR) was approved by the European Union (EU) Parliament in April 2016. After four years in the making, along with suitable discussion and debate – à la EU-style – the new legislation becomes enforceable on 25th May 2018 – yep, that’s next month folks! And, for those who are not ready and lack compliancy, or have misused or accidentally breached data, you could well be faced with a potentially large fine, which could be anything up to £18million, or 4% of your global annual turnover – Ouch!
How much do you know?
However, I’m wondering how this will be enforceable, since even the ordinary “Joe Bloggs” for example, the local carpenter or plumber, is similarly burdened with this new legislation. I can understand that if you’re a large corporation such as Microsoft, Apple, Google, Facebook or Twitter, then you are essentially a large moving target who could well be affected by these new regulations and potentially faced with that knock on their corporate door but, for the SMEs out there, I’m unsure as to how this change in legislation is realistically going to work.
According to a British government study, only 38% of businesses and 44% of charities “say they have heard of” the new GDPR legislation. In short, no one can collect and use your personal data without your explicit consent where such data might include your name, email address or phone number. So, the fact that the UK will use this new legislation as a foundation to their new Data Protection Act is a comforting one.
Have you beefed up your cybersecurity?
Furthermore, in another shocking statistic according to the government study, of those that are aware of GDPR, only a quarter or so have made changes to their business operation in readiness for the legislation’s introduction. So, harvesting such basic and essential data with widely encompassing consequences can cause the most well-meaning of companies to perhaps stumble and fall foul of the new data laws.
Guess what? It gets worse: I talked earlier about data misuse or breach of data – well, it seems, if companies haven’t “beefed up” their cybersecurity, then they’re going to be in big trouble. You see, if there are breaches or instances of misuse of data, then the parties in question will need to report such abuse to the authorities within 72 hours or else! As such, the study confirms that fewer businesses and charities have adapted their cybersecurity practices, meaning that a large proportion of them are still vulnerable to attack.
I have the right to be forgotten!
Let’s get back to that Brexit thing. The British government is adamant that nothing will change after the UK leaves the EU. The same data privacy policies will still be applied, since the government will embrace the GDPR irrespective of being in or out of Europe and, as testimony to the “business as usual” stance, businesses will continue to trade with EU members, where the UK will be aligned with the rest of Europe regarding data privacy and use. In short, if we in the UK don’t adopt the EU legislation, then it will be difficult for the UK to trade with businesses across Europe.
And lastly, the GDPR provides individuals and business with far-reaching powers. Essentially, you can demand a copy of all your personal data retained by a company or business where they must provide such data in a timely manner. Moreover, as an individual, you can additionally request that all data be removed as a “right to erase” or “right to be forgotten.”
Until next time…
As I write this column, the whole Facebook debacle continues with Facebook claiming they will change their policy regarding their own data use, as well as third-party apps. It is perhaps a blessing that the issues highlighted by Facebook have made us all aware of the importance and the value of our personal data. It seems some companies think it’s a free-for-all – merrily collating our data, then misusing it in some way in the guise of “accepting our terms and conditions” as carte blanche to do pretty much what they want. It’s so poignant that the Facebook troubles have surfaced now, especially with the looming GDPR legislation becoming enforceable across Europe next month.
How many of you have had that call asking if you need a loan or could you please take part in a survey? I get so annoyed! How did you get my number? I’m confident that I made it explicit that the data I share with you in the first instance should not be shared with any third party. Damn you: My data is not there for you to cherry-pick. As individuals, we must be more aware of how our data is being used and we must police how companies use it too. With the GDPR arriving soon, we can begin to name and shame those abusers and furiously wag our fingers at them.
So, this is where a “shaking my head” Dr. G signs off.
Originally published in Technically Speaking.