Winter is coming. Sorry, GDPR is coming. The European Commission (EC) has just pointed this out again here: “even though the new data protection framework has been built on the existing legislation, it will have a wide ranging impact and will require significant adjustments in certain aspects. For this reason, the Regulation provided for a transition period of 2 years – until 25 May 2018 – to give Member States and stakeholders time to fully prepare for the new legal framework”.
In May 2018 the UK is still in the EU (and the UK government is implementing GDPR in UK law, post Brexit, anyway). GDPR will then impact YOU, in ways that you may not appreciate – even if you are a small company or a charity – if you store people’s personal data (and remember that even an email address is considered personal data). It’s not something that you should ignore.
So, if you are one of the 62% of UK businesses or 56% of UK charities that the Information Commissioners Office (ICO) thinks aren’t aware of GDPR, see here, (and smaller organisations are generally less aware than larger ones), at least read this (which, by the way, will tell you what GDPR stands for). It is a lawyer’s guide to GDPR, with explanatory notes.
Don’t waste time on looking at all the technology solutions for GDPR that you’ll find on Google until you have some idea of what your legal obligations might be. Even if your storage and use of personal data is minimal (a small charity, perhaps), you should still be aware of GDPR, and consider the privacy of everybody involved (even if there isn’t a legal obligation, GDPR will probably result in people taking their personal privacy more seriously in general).
Ignorance of the law is not an excuse. You might feel that the EU won’t ever get around to prosecuting you (not that I’d endorse this approach), but not knowing what laws you are breaking, or how large the penalties might be, makes for very poor risk management, in my opinion.
And read the EC’s progress report here, which I’ve already linked, which will give you an idea of where the EC thinks EU countries are up to with implementing GDPR. Basically, not as far as it would like, but note:
- “The Regulation gives all data protection authorities the power to impose fines on controllers and processors. Currently [i.e., before May 2018] not all of them have this power. This will allow for better implementation of the rules. The fines can go up to EUR 20 million or, in the case of a company, 4% of the worldwide annual turnover;
- “Furthermore, several countries and regional organisations outside the EU, from our immediate neighbourhood to Asia, Latin America and Africa, are adopting new data protection legislation or updating the existing one in order to harness the opportunities offered by the global digital economy and respond to the growing demand for stronger data security and privacy protection. While countries differ in their approach and their level of legislative development, there are signs that the Regulation serves increasingly as a reference point and a source of inspiration;
- “In the context of the negotiations of a withdrawal agreement between the EU and the United Kingdom on the basis of Article 50 of the Treaty on the European Union, the Commission will pursue the objective to ensure that the provisions of Union law on personal data protection applicable on the day preceding the withdrawal date continue to apply to personal data in the United Kingdom processed before the withdrawal date. For example, the individuals concerned should continue to have the right to be informed, the right of access, the right to rectification, to erasure, to restriction of processing, to data portability as well as the right to object to processing and not to be subject to a decision based solely on automated processing, on the basis of relevant provisions of Union law applicable on the withdrawal date. Personal data referred to above should be stored no longer than is necessary for the purposes for which the personal data was processed. As of the withdrawal date, and subject to any transitional arrangement that may be contained in a possible withdrawal agreement, the rules of the Regulation for transfers of personal data to third countries will apply to the United Kingdom”.
Obviously, the devil will be in the details of the implementation of GDPR, and there will be a “post implementation review” by the EC in 2019, but “where Member States do not take the necessary actions required under the Regulation, are late in taking them or make use of the specification clauses provided for under the Regulation in a manner contrary to the Regulation, the Commission will make use of all the tools it has at its disposal, including recourse to the infringement procedure”.
Bloor believes that GDPR is a real opportunity to protect the data privacy rights of everyone and to foster the Trust that must be at the basis of the operation of a Mutable business – see here – but organisations must understand what GDPR is to start with. Somebody in your organisation, with the authority to make decisions, really must familiarise themselves with the GDPR in detail, not just with a summary or overview of the regulation, before May 2018.