An intro to The General Data Protection Regulation
This post marks the start of a series on GDPR (this is part 1), starting with what it is, then moving onto what are the obligations and requirements business' should focus their attention on. I will update this post each time a new post in the series is added so its all available in once place.
GDPR is The General Data Protection Regulation
Prior to GDPR coming into force in 2018, each country in the European Union wrote their own laws on data protection. Some in the EU saw this as creating barriers to sharing information between all member countries and hampering trade. Individuals Privacy was being increasingly invaded and subsequently breached and something needed doing. In the UK, the Data Protection Act did place requirements on business but GDPR raises the bar and some felt the ICO did not have the ability to punish abuse with enough force. Nowadays, fines for offenses related to GDPR failings can amount to 4% of companies revenue at group level.
Inconsistency was not the only issue:
- Social Media was born and really got into its stride
- Ecommerce and online buying boomed
- Marketing activity for some became pretty aggressive and invasive
- The segment of one became a priority and learning a lot about individuals
- Mass adoption of smart phones and mobile technology
All this activity and wealth of information created ever increasing gold mines for hackers to target and steal.
GDPR created alignment between each member state and ensures that each country collects, handles and protects information in the same way and in a much stricter way.
GDPR Protection Principles
If you run or are on the board of a company, you should be aware of the protection principles that have been brought in.
- GDPR has 7 major directives to give the general public control over their data, such as the right to be forgotten (Right of Erasure), unsubscribe and similar (Right to restrict processing)
- You can no longer opt people into services like marketing emails by default.
- Organisations are now required to clearly communicate why they need data and justify it
If you run a business of any size make sure you are aware of the seven major protection principles that must be applied and demonstrated. Remember, GDPR applies to all businesses, regardless of size.
- Purpose - why do you need the data?
- Lawful, fair and transparent - be clear, open and honest about what you're doing
- Data Minimisation - only collect, store and use what you actually need.
- Data Accuracy - make sure its correct and up to date
- Storage Limitation - get rid of it when you don't need it.
- Integrity and Confidentiality - keep it safe, don't lose it
- Accountability - be responsible with the data and prove you are.
For now, i think that's enough to cover a quick intro. In later posts, we'll go into a bit more detail about some of the areas to give thought to.
We'd also like to highlight that we'll soon be putting the finishing touches to our GDPR software solution which will take the pain out of being GDPR compliant and demonstrating it.