GDPR: Are you ready for the EU's huge data privacy shake-up?

BBC DataBBC
Our personal data is shared with and processed by dozens of organisations every day

Next month a new law will make the consequences of failing to protect personal data for banks and others far more serious.

The General Data Protection Regulation (GDPR), which comes into force on 25 May, will be the biggest shake-up to data privacy in 20 years.

A slew of recent high-profile breaches has brought the issue of data security to public attention.

Claims surfaced last month that the political consultancy Cambridge Analytica used data harvested from millions of Facebook users without their consent.

It has been a wake-up call for data security. People are increasingly realising that their personal data is not just valuable to them, but hugely valuable to others.

The growth of technology and electronic communication means that every day, almost every hour, we share our personal data with a huge number of organisations including shops, hospitals, banks and charities.

But that data often ends up in the hands of marketing companies, analysts and fraudsters.

Now the law on data protection is about to catch up with technological changes.

"GDPR is designed and intended to embody a data protection regime fit for the modern digital age," explained Anya Proops QC, a specialist in data protection law.

"It seeks to put power back in the hands of individuals by forcing those who process our data to be both more transparent about their processing activities and responsive to demands for privacy-invasive processing to be curtailed."

Among the many changes are measures that make it:

  • quicker and cheaper to find out what data an organisation holds on you
  • mandatory to report data security breaches to the information commissioner, rather than just "good practice"
  • more expensive if fined for breaches - up from a maximum £500,000 to about £17.5m or 4% of global turnover, whichever is the greater

"This is legislation which can literally sink those organisations who fail to respect our data privacy rights," said Ms Proops.

Security

Organisations will have to review their systems and the way people work.

They will have to focus on technical security, including the use of encryption and the robust application of security patches.

But they will also have to use data minimisation techniques, including pseudonymisation - a technique that replaces some identifiers with fictitious entries to protect people's privacy.

Ensuring that staff members are reliable will also be a priority. Taking personal data "off site" on mobile devices and memory sticks poses particular risks. A failure to ensure that such devices are encrypted can immediately expose organisations to a fine.

Unwanted emails

We've all had those unwanted emails, annoying targeted adverts, and phone calls from a total stranger who somehow knows that we have been involved in a car accident - when we have no recollection of it at all.

These come from companies who have managed to get hold of our personal data without our knowledge or consent.

It's long been unlawful for such communications to be sent without our consent. But GDPR significantly tightens up the rules.

Consent must be freely given, specific, informed and unambiguous. It cannot be buried in lengthy terms and conditions.

That makes it much harder for marketers to establish that they have the requisite permissions, which is why your inbox has probably been littered recently with emails asking for your consent to continue receiving messages.

Oh, and it must be as easy to withdraw consent as it is to give it.

Conflicting advice

The strengthened "consent" is good news for consumers, but preparing for GDPR can be difficult and confusing for businesses.

Emma Heathcote-James runs a small company making natural soaps.

Emma Heathcote-James
Small-business owner Emma Heathcote-James has been given conflicting advice about how to be GDPR-compliant

"One consultant told us if we'd emailed people within the last six months we're absolutely fine to contact them as long as it's not subscribed and it was clear they could have had the option to opt out," she recalled.

"Another consultant said, 'No, no - that's absolutely wrong.'"

Businesses with large client lists run the risk that many customers will ignore their requests and their client lists will shrink accordingly.

Data protectors

Most public authorities and organisations that monitor and track behaviour must appoint a data protection officer.

DPOs' duties will include monitoring compliance with the law, training staff and conducting internal audits.

They will also be the first point of contact for supervisory authorities and for individuals whose data is processed, including customers and employees.

They must be given the resources to do their job, cannot be dismissed for doing it, and must have direct access to the highest level of management.

Message to self, don't mess with a DPO.

Policing the law

The watchdog responsible for all this in the UK will be information commissioner Elizabeth Denham.

"We will have more powers to stop companies processing data, but we only take action where there has been serious and sustained harm to individuals," she explained.

"What this new fining power gives us is the ability to go after larger, global and sometimes multi-national companies where the old £500,000 fine would just be pocket change."

She added that she accepted that some companies will need time to become fully compliant.

"The first thing we are going to look at is, have they taken steps, have they taken action to undertake the new compliance regime," she added.

"Do they have a commitment to the regime?

"We're not going to be looking at perfection, we're going to be looking for commitment."

Large fines will be reserved for the most serious cases, she said, when a company refuses to comply voluntarily.

Overall effect?

Companies will be obligated to clearly inform individuals about why they are collecting their personal data, how it is going to be used and with whom it is going to be shared.

All of which means that the GDPR should make our personal data safer and less easily obtained by those we don't want to have it.

But there will be teething pains and some organisations that do not adapt in time will suffer.

And forget the idea that this could all become moot post-Brexit.

Although GDPR is a piece of EU law, the government has made it clear that the UK will remain signed up.

There are probably two reasons for this: first, if the UK watered down its data protection laws after Brexit, this might result in other Europeans treating the country as a pariah state, which would have an impact on trade.

Second, in the current privacy-preoccupied era, there is unlikely to be much public appetite to dilute GDPR's protections.