If you are a business manager in a European company that holds personal customer data, or one that holds data on European customers, it’s time to start sitting up and taking notice. GDPR is here, and you really can’t afford to ignore it any longer.
GDPR—or General Data Protection Regulation, for those who have not come across it before—is a European regulation to strengthen data protection, and unify it across the EU. The idea is to give control back to individuals, and also make life easier for international businesses, by making the law consistent across the region. It applies to data held about EU citizens, regardless of where it is held or by whom. It will come into force in May 2018, after a two-year transition period.
Improving data protection
The European Commission understands that businesses may struggle to understand the changes. It has issued extensive documentation, including the detail of the legal framework as well as factsheets designed to help companies understand the requirements and benefits.
It is not just data-holders preparing for implementation, either. London law firms, for instance, are already planning a litigation campaign. And of course, where there are threats, there are also management consultants standing ready to help their clients address them. Based on the experience of the UK’s Freedom of Information Act, which came into force in 2005, some commentators have suggested that there will be a barrage of requests from individuals, campaigners and organisations from the moment of implementation.
If these dire predictions are in any way justified, companies will need to have their houses in order well in advance.
Fortunately, the principles behind the regulation are relatively simple. They are broadly designed to ensure that data are only gathered for legitimate purposes, that only data required for those purposes are held, that data are processed in a way that is both fair and in line with the law, and also that no data are held for longer than necessary.
Businesses will need to be able to demonstrate that they abide by these principles. In practice, this is likely to mean having a data protection officer and/or data controller, and documentation to set out how and why data can be collected and held. Perhaps most importantly, there need to be procedures in place to enable users to give and withdraw consent for their data to be collected and stored, and for what purposes, and also for erasure of data.
Good and bad news
The good news is that most companies already complying with domestic requirements on data protection will probably be covered. The even better news is that the introduction of GDPR gives everyone a reason to review what they are doing and make sure that it is effective and compliant.
The bad news is that some obvious problem areas are already emerging. The biggest is ‘shadow IT’, or IT applications and usage that were not necessarily signed off by central IT. These are likely to include some cloud-based and SaaS applications that may well involve personal customer data. What CIO could put hand on heart to say that they knew about every last app and service used across their company?
Although GDPR may, at first glance, seem like something of a headache for companies, it is undoubtedly going to be a good thing for customers. What’s good for customers is probably ultimately good for business, too, but that’s not the main advantage. The really important aspect is that the regulation will level the playing field for anyone handling data about any EU citizen, no matter where the business is based: European, US, Asian and Australian firms will all have to meet the same requirements. In an increasingly global world, this will be a global transformation.
It will certainly be good news for the qualification and certification market. For example, IT Governance has already announced the launch of its Certified EU General Data Protection Regulation Practitioner Online training course. Certification serves a purpose, however, and helps to ensure that those taking up data protection officer roles are aware of their responsibilities.
Some disagreement about priorities
Not everyone agrees, of course, about what the requirements mean, or how best to implement GDPR. The French data protection authority, for example, has launched a consultation to identify priorities and explore questions like when companies are required to appoint data protection officers. But there is one thing which is certain: GDPR will be on us within 15 months, and it is time to sit up and take notice.
Learn more
Our experts have pulled together an educational webinar on how to meet evolving data protection compliance requirements with industry-leading analytics. The presentation will also cover personal data identification and protection whilst ensuring the necessary agility, accessibility and flexibility for your data strategy. Learn how to remain compliant here.