GDPR

The EU’s General Data Protection Regulation (GDPR) will apply more-or-less uniformly across the EU from 25 May 2018. It requires an organisation storing or processing the “personal data” of EU citizens to put data privacy – Privacy by Design – at the heart of its data processing. Many observers think that GDPR will become a major cost of doing business in the future. Bloor thinks differently. We see it as an opportunity to add value for your company. It’s an opportunity to leverage “privacy by design” for building trust in the Mutable business.

Why is it important (hot)?

The GDPR means that organisations must significantly change the way in which they protect and process personal data. It gives the subjects (“owners”) of personal data important new rights, including judicial remedies if these rights are infringed and mandatory reporting of data breaches. Organisations must introduce “appropriate technical and organisational measures” to protect personal data – that is, “privacy by design”, with data privacy and security taken into consideration from the start. However, this can also bring bottom-line benefits from managing a “360 degree” view of sensitive data and encouraging data rationalisation.

Remember too that GDPR applies to the personal data of EU citizens outside of the EU. Ovum claims that 63% of US organisations think that GDPR will make them less competitive, while 70% believe that it favours European businesses. These US organisations are probably overlooking the fact that the EU also genuinely takes the privacy of its citizens seriously.

Figure 1 – Percentage of UK businesses, and charities that have made changes to their operations in response to GDPR’s introduction.

How does it work?

The full text of the GDPR is here. When reading an Article, don’t overlook the linked Recital, which the authorities will use to elucidate precise meanings. GDPR is based on 7 principles:

1. Lawfulness, fairness and transparency – personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
2. Purpose limitation – personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of personal data for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes shall not be considered incompatible with the original processing purposes. However, further conditions in relation to processing for such purposes must be met.
3. Data minimisation – personal data must be adequate, relevant and limited to those which are necessary in relation to the purposes for which they are processed.
4. Accuracy – personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
5. Storage limitation – personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (with some exceptions).
6. Integrity and confidentiality – personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
7. Accountability – the controller shall be responsible for and be able to demonstrate compliance with these principles. Being able to demonstrate that you have policies and processes (supported by tools) in place is the key to compliance and avoiding penalties.

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address. See the GDPR FAQ.