Richard Shennan, Group digital business development director
Europe is about to face the most important change in data privacy regulation in 20 years with the implementation — after years of discussion — of a new regulatory regime that will have significant implications for anyone who holds data.
For all that are collecting, organising, sharing, and deploying data in new ways, the balance between opportunity and risk has never been so finely poised. Against this background, the General Data Protection Regulation (EU 2016/679) — or GDPR — is due to come into force on 25 May 2018, intended to strengthen and unify data protection for all individuals within the European Union (EU).
According to the EU website on the new regulation it is “designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy”.
On the one hand, the regulation brings in more substantial penalties for breach of personal data. With asset infrastructure owners holding increasing volumes of such data, these heavier penalties could sound like a threat to some.
On the other hand, others see it as an opportunity, because the regulations are more rigorous and the size of the fine will focus minds on the protection of personal data.
It is important to realise that GDPR builds on the UK’s Data Protection Act (DPA), which had stringent requirements over the management of personal data. However, I think many organisations took a risk-based approach to its implementation because they were holding relatively small amounts of personal data and the fines were normally far less than the £500k maximum.
It is likely that the heaviest fines — 4% of global revenue — will be limited to those that are truly incompetent, but this still a very big deterrent as a fine of this level could bring a business to its knees. UK telecoms firm TalkTalks’s record £400k fine for its failure to implement the most basic cyber security measures, allowing hackers to penetrate its systems with ease, could have been as much as £59M post-GDPR enforcement.
The DPA and GDPR all mandate implementing best practices for security to protect the data. Asset owners need to balance the cost of improved security with the size of the potential fine and the resulting reputational damage for a breach. If an asset owner can’t look after someone’s personal data, do they operate sufficiently robust process to protect the physical safety of their users? Some of the new GDPR requirements might create a bit more work for asset owners, such as the requirement for positive consent, faster access to personal data for data subjects and the right to be forgotten.
Preparing for data subject to exercise their rights
Asset owners may also be hit with a deluge of requests from data subjects to give them access to the information the asset owners hold on them. Imagine a co-ordinated request from tens of thousands of passengers for the personal data which a transport operator holds and which it must turn around in 30 days! Previously everyone had to pay a £10 fee to get access to their data – there will be no cost to make requests in future.
Although GDPR will almost certainly be enshrined into UK law although over time, there could be some divergence between UK and EU regulations in terms of how personal data for their respective citizens is managed.
Irrespective, global organisations operating in the EU post-Brexit will most certainly have to comply with the GDPR as they will continue to hold personal data for EU citizens.
If you’re interested in knowing more about this topic, please contact: email@example.com