After three years of arduous discussion, it now certain that the EU’s long-awaited General Data Protection Regulation (GDPR) will finally become law some time in early 2016. Although it is not the first piece of data legislation to affect EU member states – the Data Protection Directive (95/46/EC) has been in place since 1995 and will be supplanted by the GDPR – the majority of businesses have grasped that it is without doubt the most far reaching.
From the outside, the GDPR can look complex and inscrutable of the sort that can only be understood by legal experts. Here we try and reduce it to its bare essentials, the parts that organisations must know about and, after a bedding-in period that might stretch to two years, fully comply with.
The GDPR represents a huge change in the way organisations must approach data but it also offers opportunity. Businesses able to adapt to the GDPR quickly will reap the benefits down the line.
UK business and the GDPR - what is the GDPR?
It sounds like an obvious point but it is worth re-stating that the GDPR is a set of rules governing the security and management of personal data, both of customers and employees. Until recently, this would have covered only records held on or about individuals but in an age of big data it should be defined as any data that could be used to identify someone.
Inevitably, some argument has surrounded how one can separate and define non-personal (i.e. anonymous) data that is not covered from data that could, in some circumstances, make someone identifiable. What is clear is that the data organisations (called ‘data controllers’) hold and gather on people is now an issue of business risk.
What is the timescale for its implementation?
The GDPR has taken over three years from its earliest drafts in 2012 to reach the stage where agreement is in sight, now expected by the end of 2015 or very early 2016. After that, full enforcement should commence two years later, in late 2017 or early 2018.
The GDPR is a regulation not a directive
The EU issues directives as general provisions that can be enacted on any timescale a country wishes. By contrast, a regulation has the force of law, is immediate across all states within a defined timescale), and does not require legislation in each country. That is the point of regulations – everyone has to comply.
Which organisations will be affected?
Initially only those with more than 250 employees processing over 5,000 records per annum although in time small enterprises of all sizes and record throughput will come within its scope. The timetable for this extension is not yet clear. Importantly, businesses based outside the EU will also be affected by the GDPR if they operate inside the EU, extending its reach to a global level.
Organisations must identify which data held by them qualifies as personal, where this is physically stored and in what state. Because this introduces a management overhead, it will be in the interest of businesses to minimise the data they collect in future, ensuring its accuracy
The GDPR has fuelled a small industry of legal and compliance practitioners who will help organisations through the pitfalls of compliance. However, organisations must always set up their own internal structures to cope with something as complex as the GDPR (see below).
Privacy, consent and rights
Because the GDPR underlines the privacy of personal data, this must from now on be built into the way data is collected and managed, so-called ‘privacy by design’. All data must be gathered with explicit rather than assumed consent and the right for data subjects to withdraw that communicated and explained as part of its lifecycle. In future there it won’t be possible simply to accumulate and hold on to data because there is no policy for disposing of it.
Next: right to be forgotten