The General Data Protection Regulation – are you ready?

By Tom Martin, MA, MIITD, LIB, QFA, CUA, CUC, CUG, CMILT, AMSOE, AMIRTE
“Change has never happened this fast before, and it will never be this slow again”

– Graeme Wood.

We live in a fast-paced world, where the only constant is the reality of change. Nowhere is this more evident but in the proliferation of information available through social media, and the internet. Our world has shrunk to such an extent, that privacy has become an ever-decreasing luxury. It is so easy to anyone or anything, and immediately get copious amounts of information that may, or may not, be accurate. But social media does much more than this – it also allows any individual to pass commentary on anything they wish – and the more followers you have, the wider your message is distributed. This is a very modern phenomenon, and is probably the most striking aspect of our lives today – with no parallels in history. It has grown to such an extent, that political leaders and opinion formers routinely ignore the traditional media outlets, in favour of distributing their messages without filtering, through social media. So, guess who has the most twitter followers in the world? You are correct, it is the Pope – with over 40 Million! While the internet and social media are tremendous additions to our lives, there has been a growing concern at the very great intrusions they can also make to the lives of private individuals. Targeted advertising through the monitoring of browsing habits, together with the ease of distribution of information, has created real fears that individuals privacy is increasingly compromised and that their consumer choices are reduced through such targeted advertising.

It is against this background, and because existing data protection legislation has become completely outdated, that the European Union has decided to introduce the widest ranging change to how data, which includes both paper and electronic information, is collected, retained and used. The General Data Protection Regulation (GDPR) comes into effect on the 25th May, 2018, and will have huge ramifications for every organisation and business. What many people don’t realise, is that the GDPR has already been in force since May, 2016, but enforcement was scheduled to commence on the 25th May, 2018. By this date, organisations, businesses, companies, sole traders, and just about anyone who processes data on any individual, must be compliant with the requirements and obligations of GDPR.

So what exactly does the introduction of GDPR mean, and how will this impact you?

1. GDPR introduces significant increases in the rights to privacy of individuals, and greater obligations on organisations to protect and safeguard such privacy.
2. GDPR introduces very hefty fines for non compliance – up to €20Million or 4% of your business turnover – not profit.
3. GDPR imposes stringent obligations on organisations regarding data breaches to the Data Protection Commissioner, and the need to take prescribed actions to rectify such  breaches.
4. GDPR requires larger organisations to appoint and resource a Data Protection Officer.
5. GDPR tightens the definition of consent. Organisations can only obtain information and data from their customers/clients/service users with their consent, that is freely given, fully informed, and unambiguous. It is no longer acceptable to “tick” boxes, or infer that inactivity on behalf of a customer, is your consent to use their data. This element of GDPR will place the greatest burden on organisations preparing for the introduction of GDPR and ensure they are fully compliant.
6. GDPR introduces obligations regarding websites, and tracking “cookies” on websites. There are significant Information Technology implications for most businesses, as the way information is stored, captured and used, will change, and IT systems must also change to ensure full compliance with GDPR.
7. GDPR enshrines the “right to be forgotten”, or in other words, to compel organisations to delete personal data held by them about you. Organisations must ensure that they have procedures in place to ensure that such requests can be received and accommodated.
8. GDPR compels organisations to deliver the personal data of an individual, on request, to another organisation. This will have significant impacts, both financial and human resources, when a customer transfers his/her business to a competitor.
9. GDPR clearly defines the responsibilities and obligations of organisations collecting and retaining data, and also outlines the liabilities that they are assuming.
10. GDPR outlines specific steps to take when obtaining information from children under age 16, together with the form communicating with children must take. This will have obvious implications for sporting and other organisations.

The key learning here, is that GDPR cannot be ignored, or pushed into the background. For those of you who are old enough to remember the introduction of the Euro on the 1st January, 2002, (I have my hand up here!), the GDPR has some similarities, in that the date is immovable, and you must be ready beforehand, or else you will find yourself in trouble. IT providers are likely to be inundated with requests to update websites, point of sale outlets, receipts, staff files, customer access etc., so approaching your IT provider the week before GDPR will be enforced, is not a good idea.

Having worked on GDPR with a number of diverse organisations, what is very clear to me, is that each organisation is unique, and each will have to examine all areas of their own business, and examine how GDPR will impact upon it. From there, each business will have to draw up their own plans on how they can ensure compliance with GDPR, and avoid drawing the wrath of the Data Protection Commissioner, and the risk of incurring fines and other sanctions.

The Data Protection Commissioners office is ramping up their own resources in preparation for GDPR and have already stated that they will commence the process of inspecting and examining businesses for full compliance, immediately after GDPR is introduced.
So, do you need to panic, or is GDPR something that will settle down after a while and you can ignore it for now? Whatever you do, don’t ignore GDPR – it is imminent, and can have very costly consequences if you are deficient, negligent or non-compliant. That being said, the preparation for GDPR doesn’t necessarily have to be an onerous task – if you know what you are doing, have proper action plans in place, and begin the process of preparation as soon as possible. As a general rule of thumb, the larger the organisation, the sooner you need to commence preparation.

A final thought – GDPR will shortly be with us, and is going to stay with us, so it is not an optional extra.

Contact us today, to see how we can help you audit your existing data collection and retention arrangements, and advise you how to prepare to be GDPR compliant – the clock is ticking ever more quickly towards the 25th May!

Contact us today for a confidential discussion on where you see your tomorrow.