Back in April the European Parliament passed a law, the General Data Protection Regulation (GDPR), which many businesses will have to be compliant with from May 2018. It’s been a pretty long time between this and the last data directive, and since April we’ve decided to leave the EU, so you might be wondering why you need to act now, and – post-Brexit – whether you still have to prepare for the changes. Well, wonder no longer!
What is the GDPR?
The General Data Protection Regulation is the new legal framework for data protection.
The general idea is that it helps citizens – you guys get greater control over your data and ensures that there are standardised levels of protection throughout the EU.
The big thing is that – because it’s a regulation rather than a directive – this isn’t open to interpretation by each member state so it’s going to create a level playing field.
But we’re not going to be in the EU!
The general consensus seems to be that despite Brexit we’re still going to have to comply with the GDPR, or at least a very similar framework applicable to UK businesses. This is so that we can continue to do business with the EU countries that do comply with it – so if you thought you were getting off lightly, think again!
Does it affect you?
Bigtime. This is something that any business collecting or processing personal identifiable information of EU citizens is going to have to prepare for, otherwise it’ll be facing regulators with much sharper teeth, and consequences including fines and serious reputational damage.
On the plus side, it’ll hopefully mean tighter data security, greater trust from customers and more transparency; we’ve just got to push through the pain barrier first!
When is the deadline and why do I need to act now?
You have until 25th May 2018 to get compliant. That sounds like loads of time but, for many organisations, there will be a lot of work to do in the lead up to then.
The time is now – a GDPR timeline:
1995 – Data Protection Directive (DPD) – The European Directive governing data protection
1998 – Data Protection Act (DPA) – The UK version of the directive
1998-2014 – A whole mess of security breaches on both high-profile companies and SMEs happen
2014 – The GDPR is announced, many people don’t know what it is
Now – Reading this blog and realising what you need to do
May 2018 – ‘The Compliancing’ – The law will be enforced
Andy, Managing Director of Secarma Security Consultancy, explains why it’s taken so long and why now is the right time for a change.
“It’s been in the making for a few years. You’ve got to go back a long time to the Data Protection Directive (DPD) of 1995 and the Data Protection Act of 1998, and then nothing. They’ve taken their time, and rightly so, to get something ready. And I think the issue is on the evolution and the expansion of technology. The digital world is now so different to what it was in ‘95 and ’98; a lot of this stuff’s kind of redundant. It’s got to be brought up to reflect modern tech.
“We just want one law or it’ll be far too complex. And what’s driving it from a, ‘What’s in that law?’ perspective, is a simple premise of giving citizens, EU citizens in this instance, control over their personal data. The individual suddenly becomes the driving force behind data protection, rather than the other way around. I think that shift in the balance of power is what’s going to make the difference over the next 10 years once this regulation is established.”
Now you know why, the next question is ‘what’ – what do businesses need to do to get compliant? We’ll be sharing insights from the experts on what you have to do next in an up-coming blog, so watch this space!
Disclaimer: The information in this blog is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an adviser or solicitor.
Read our expert GDPR Q&A whitepaper for more information.