GDPR: What you need to know about the new data regulations

September 27, 2017

A quick guide to the regulations that are set to dramatically alter how data is handled. 

On-boarding New Customers

Data protection in the European Union (EU) is about to undergo a massive overhaul with the new General Data Protection Regulations (GDPR) which will better reflect the volume and types of data produced in today’s digital first world, and how best to protect an individual’s rights to privacy in relation to that data. 

The existing regulations were created in the mid-1990s and, while they were effective, they no longer reflect the paradigm shift in computing that the world has experienced over the last twenty years.  

Information governance has become a hot-button issue for groups operating in an environment that is generating large volumes of valuable data, and the implementation of new laws should be viewed as an opportunity to improve the security and governance of your data. 

Your company will be held liable for the way it handles data under the new regulations, and companies that are regularly involved in systemic monitoring of individuals may need to hire a data protection officer in order to be complaint.  

The new regulations come into effect from May 18, 2018, with the goal of providing individuals with far more control over their personal data and strengthening protection around the ways that data is handled. 

The goal of the new regulations is to strengthen the ways that global establishments approach data privacy, and to protect the digital privacy of all EU citizens. While many of the regulations were enforced under the old laws, these new laws take it much further.  WIRED magazine notes that “where GDPR differentiates from current data protection laws is that pseudonymised personal data can fall under the law – if it's possible that a person could be identified by a pseudonym.”

The new regulations are set to fundamentally change the relationships between customers, vendors and service providers. 

The types of data protected under GDPR include: 

  • Name
  • Home address
  • Photographs
  • Email addresses
  • Bank account details
  • Social media posts
  • IP address
  • Medical information
     

The goal of the new regulations is to strengthen the ways that global establishments approach data privacy, and to protect the digital privacy of all EU citizens. While many of the regulations were enforced under the old laws, these new laws take it much further.  WIRED magazine notes that “where GDPR differentiates from current data protection laws is that pseudonymised personal data can fall under the law – if it's possible that a person could be identified by a pseudonym.”

The new regulations are set to fundamentally change the relationships between customers, vendors and service providers. 

 “Consumers and citizens will have stronger rights to be informed about how organisations use their personal data,” explains Elizabeth Denham, the UK’s Information Commissioner. “They’ll have the right to request that personal data be deleted or removed if there’s no compelling reason for an organisation to carry on processing it, and new rights around data portability and how they give consent.” 
 

“Doing nothing is not an option,” says AI Foundry, and there are fines of up to 20 million euros envisioned for infractions. 

So what are the implications of these new regulations for information governance? 

ACCESS
First of all, it’s important to know that consumers must be given access to their data, and they should have the ability to transfer that data to another service provider, if they so desire. They also have the right to delete any data they wish, provided there is no legal requirement to keeping it. Up to this point, consumers were being charged a fee of 10 pounds to access their data; that fee has now been scrapped, and companies must comply with a data request within one month and for no cost. 

Companies with over 250 employees are going to be required to explain why they are capturing people’s data, describe the data they are gathering and clearly explain the security measures they are using to keep the data safe. 

BIOMETRIC & GENETIC
The sensitive personal data definition has been expanded to include the categories of biometric and genetic data – neither of which existed when the previous regulations were drafted. This data includes extremely sensitive information such as ethnic origin, political beliefs, sexual orientation, trade union membership and more. 
It is incumbent on organizations storing data to know exactly where it is kept, what Personally Identifiable Information (PII) is stored in that data, and how consumers can access their own data.  

SECURITY
One of the driving forces of the updated regulations is the frequency of security breaches happening all over the EU and the rest of the world. From May 2018, it’s no longer going to be possible for companies to hide or minimize their security breaches. Whether it’s financial, a confidentiality breach or anything else, organizations must report any breaches to the ICO within 72 hours of the breach occurring, and advise the consumers whose information has been hacked, “unless the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals.”

ENFORCEMENT
Regulators will be given more powers to enforce the regulations than they currently have, and businesses that are non-compliant face considerable fines. To give you some idea of how seriously these new rules are being taken, consider that under current legislation, the maximum fine a corporation can face is 500 000 euros. But from next year, GDPR will allow regulators to fine up to 4% of a firm’s global turnover, or 20 million euros, whichever is bigger.

With the amount of threats to privacy and security on the increase all around the world, the new regulations are a welcome tool in the fight to protect the privacy and data of European consumers.  

AI Foundry has developed an Agile Compliance solution for GDPR that can speed up a firm’s preparations and mitigate the risks that it faces. Get in touch to find out more about how we can facilitate your preparations. 

Read AI Foundry’s Solution Brief on how to prepare for GDPR.

 

Sources: 

https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018 

http://aifoundry.com/default/assets/Image/Resources/SOLUTION_GDPR_A4_UK_JUNE_8_17.pdf