2018 will be a big year for data. If you work for an organisation that plays some role in managing personal data, you will likely be aware of the looming regulatory shake up that’s officially coming into law in May next year. Grasping the legal and technical complexities may look challenging at first, but there’s no need to fret. Educating yourself on GDPR and being mindful of it at work is a great opportunity to add value to your organisation – and give yourself a career boost in the process.
So what actually *is* the GDPR?
GDPR stands for the General Data Protection Regulation. It’s an EU wide law to regulate the use of the personal data of EU citizens, superseding existing data protection laws in member states. In the UK, it’s replacing the Data Protection Act 1998, and the government has confirmed it will still apply in post-Brexit UK. Central aims of the GDPR are to update regulations for today’s digital world, and make things easier for international businesses by streamlining legislation across the EU. The GDPR was published in May 2016, but won’t become enforceable by law until May 2018.
What are the key points?
The GDPR sets out in more detail what constitutes ‘personal data’ and widens the definition to online identifiers such as IP address or mobile devices.
Individuals have more rights over their data and how it’s used. Key additions aredata erasure (often referred to as the ‘right to be forgotten’) and data portability (the right to transfer your data to another processor)
There are new rules around how organisations manage data: they are required to keep records of all data processing activity, and implement measures like encryption to protect sensitive data.
Organisations in certain categories are required to appoint a Data Processing Officer (DPO) to manage data procedures and security.
Breaches in data security must be reported to the relevant authority within 72 hours, and affected customers informed of the breach. Failure to comply can result in a fine of up to €20 million or 4% of turnover (this is significantly more than most existing legislation – in the UK it’s currently a maximum of £500,000)
Should my organisation be doing something about this?
Most definitely, and the majority have started preparing already. The clock is ticking for organisations to establish new architecture and procedures to ensure GDPR compliance. Since all data now needs to be accounted for, whether stored on site or in the cloud, technology has a big part to play. Real time analytics can be used to track exactly where personal data is and who it’s being used by, and specialist software should be used for data processing, including encrypting of sensitive data. The right use of IT solutions will ease the administrative burden on organisations.
Changes will also need to occur at a structural or organisational level – for example making sure all employees are aware of the GDPR and their role, and protocol to follow in case of a breach. Many organisations will need to hire a DPO (it’s estimated 28,000 of these posts will become available as a result of the regulations), make sure his or her role is properly defined within the organisation.
What can I do to give myself the edge?
Having a good understanding of what GDPR means for business will give you advantages whatever your job title (unless you’re a DPO - in which case being a GDPR geek is mandatory).
Educate yourself on GDPR compliancy and ask yourself how it affects your organisation and role specifically, (Whose data to you use? Where is it stored and managed? etc)
Be sure to take up any training offered by your employer.
If you run a team; question whether you should be hiring new skills relevant to data management, or developing the skills of your existing staff via external courses.
Business should have started talking to technology vendors providing solutions to help manage data, or starting the hiring process for the DPO.
Raising these issues and showing leadership around them will make you an asset to your organisation, and will help avoid those eyewatering fines.
Where do I start?
The Information Commissioner’s office (ICO) has published a guide to the GDPR, which includes links to the relevant parts of legislation; also see their 12 step guideline for organisations Check out events and summits, such as the GDPR: Summit in London in October.