15 May GDPR: The reason you’re asked to review your privacy settings
If you use the internet to do…well, anything, you’ve most likely been asked to review, check or update your privacy settings recently. Why? Because data privacy laws are changing.
Come the 25th May 2018, the General Data Protection Regulation (GDPR) will become directly applicable in all EU Member States, meaning that each current member of the EU must adopt the GDPR in its entirety.
This is because the GDPR is a regulation, different from a directive which sets a general goal/direction after which it is for countries to choose how they will go about achieving it. The GDPR then seeks to create a homogenous level of data protection across Europe that gives individuals stronger rights and holds organisations to a higher level of accountability.
In the UK, this means that the Data Protection Act 1998 will be repealed. It is hard to argue that the updating of laws regarding the processing of personal data is unnecessary. The way in which we use electronic devices, the functioning of the internet, and the way we behave online has drastically changed since the DPA 1998 was brought in. The GDPR then aims to update these laws to better protect people’s privacy in today’s digital age.
So why does this matter to me?
If you’ve logged on to one of your social media apps recently, you’d have gotten a notification regarding your privacy settings. And not one akin to those alerting you to cookies operating on the page (a small bar along the top of the page that you swiftly close down), but a big, unavoidable screen requiring you to take action.
This is because one of the more notable changes brought about by the GDPR regards the rules around consent. Consent provisions are being strengthened and subject to additional conditions, such as being ‘unambiguous’ and easy to withdraw.
Consent must also be ‘explicit’ when processing special categories of personal data (often known as “sensitive personal data”, these include data relating to race, political opinion, religion, biometric data etc.). The GDPR requires that the reliance on the use of default opt-out or preselected “tick boxes” – which are, in any case, largely ignored – will be unlawful.
In short then, a series of high-profile data breaches has brought the issue into focus, as companies are now required to do more to let you know what you’re signing up to before processing your personal data, which should hopefully lead to less unwanted emails, better encryption and more explanations as to why said company is collecting your data.
Does this mean companies have acted unlawfully?
Most organisations do not take action on anything unless they are sure that their action/non-action will result in a) increased/decreased revenue or b) increased/decreased costs. In this case, organisations that breach the GDPR or are shown to be non-compliant can face significant sanctions.
Where under the DPA 1998 the worst breaches could attract a fine of up to £500,000, the GDPR raises the stakes to 20 million euros or 4% of the organisation’s annual turnover (whichever is higher). This exponential increase in potential cost has jolted many in to action from sheer fear of facing these penalties which, for many small and medium sized enterprises, could force many to cease trading.
Having never issued the maximum fine for a breach of the DPA 1998 before, it is unlikely that the Information Commissioner’s Office (the regulator of the DPA in the UK) will begin dishing out maximum fines under the GDPR for any non-compliance from the 26th May.
However, organisations are definitely waking up to the fact that they will need to take the security of the personal data that they hold and collect much more seriously than they have been doing, a culture change likely to be welcomed by everybody.