The last couple of months have been turbulent for the UK and as the dust settles regarding the landmark decision to leave the European Union those of us involved in the world of regulation are being asked what it means for EU GDPR?
Now, if your first question is “What is EU GDPR?” then you can click here to download our short introductory guide. However put simply it is the biggest single change to data protection since the introduction of the Data Protection Act of 1998.
The vision of EUGDPR was to create one digital economy for the then 28 member states of the European Union with one set of rules and regulations for handling the 500 million plus citizens personal data. In essence its central role to better protect the rights of those whose data is powering the digital highway on which we now depend.
With the increasing regularity that embarrassing leaks of personal data are occurring, something needed to be done to better protect the digital citizen than the frankly archaic and inadequate protection offered by the act drawn up in the mid 1990’s. Just think how your personal digital world has changed between then and now, maybe you weren’t even born in the 90’s and that throws into relief how a major upgrade was needed.
EU GDPR stands to offer:
- Rights to the EU Citizen on how their personal data is used. (Citizens must be informed and give their explicit consent on how their data may be shared/utilised)
- Punitive punishments for those who do not protect this data (fines of up to 4% of global turnover or 20M Euros, whichever is the greater, can be levied)
- Citizens having the right to be forgotten – No more holding on to personal data for no reason
- The requirement for organisations to declare, in detail, data breaches or loss within 72 hours (bear in mind many security experts claim most are not found for months currently)
- The responsibility of data owners to deploy “state of the art” systems to protect data (aged systems and technologies will not be an excuse)
- Organisations to employ a Data Protection Officer, this role is new and must understand both the regulation and how their organisation is complying and policing the data of the citizens
It is a significant regulation and whilst the above only scratches the surface it does give us some idea to the scale of the change. However what does it mean now that we are about to exit? (about used very loosely given some of the timescales attributed to when article 50 may be issued).
Well at first glance it falls into two distinct camps;
- Organisations who will have EU Citizens personal data after we exit the EU
- Those who will not
If you are in the first camp and would potentially hold any personal data from an EU Citizen then you are still required to comply with the regulation as it was always designed to be a global requirement when dealing with EU Citizens personal data. The regulation comes from the perspective of protecting the EU Citizens data, wherever it may reside.
If you don’t or will never hold any EU Citizen personal data (to get in perspective what personal data is, think anything that could identify them, IP address, credit card, name, address, phone number etc.) then you won’t need to comply.
However, as negotiations develop surrounding trade / free movement agreements there will be conditions around how these will need to be done, and you can be pretty sure that the flagship regulation on handling personal data could well be included in them.
Also, the Data Protection Act of 98 is so out of date the UK needs a new standard and why would we begin the onerous task of writing one from scratch when one we contributed to is sat on the shelf and gives us parity with Europe.
So as we write this article nothing is certain, but the Regulation came into force on May 24th of this year and therefore predates Brexit, making it law currently. Equally it is unlikely that down the line organisations will be able to avoid it.
It’s time to embrace the change and get compliant and at the end of the day, isn’t a more secure, diligent digital realm something to be applauded.
If you’d like to know more about EU GDPR you can download our introductory guide below.
Alternatively if you’d like to know more about our compliances programmes or how we can help your organisation, you can contact us below.