Technology is developing constantly; communication is becoming faster and the exchange of ideas and information easier. Considering how quickly things are evolving, it’s shocking to discover that the legislation protecting our data hasn’t been updated since 1998! That was the year that Apple introduced the first iMac, Google had its first Doodle and someone hit Bill Gates in the face with a pie (a dissatisfied Windows 98 user perhaps?). Our data protection laws are as out of date as Apple making desktop computers in see-through candy colours. The state of information is unrecognisable from that time and the laws protecting it have been in dire need of an update. Cue an intervention from the EU.
After four years of work the new ‘General Data Protection Regulation’ will detail how data should be stored, how it should be used and when it should be destroyed. The public will have more control over their personal data and businesses will have a more simple set of regulations to follow when using said data. ‘Data’ in this case, refers to anything that might be used to identify an individual, including cultural and economic information as well as mental health details and even IP addresses and other online identifiers. If information held under pseudonyms has the potential to identify an individual this could also be classed as personal data. The GDPR has widened the definition of ‘data’ significantly.
The fines for those who do not comply with the GDPR are hefty (£20 million is no trifling sum) but businesses have until 25th May 2018 to bring their systems into line. The new regulations also apply to companies who process data on behalf of businesses, so developers need to be aware of the legislation too.
The basic principles are:
- Data must be processed lawfully, transparently, and for a specific purpose
- Data must be deleted when no longer required or it has served its specific purpose
- Consent to keep and use data must be actively obtained and recorded
- The public have the right to request, update, rectify or move their data or have it destroyed altogether
- Data owners must also check the compliance of any processors they may use
- Data breaches should be reported to those affected immediately and to the Information Commissioner’s Office within 72 hours
- Companies outside of the EU are still subject to GDPR when processing or controlling data of individuals within the EU
Some of you may have already thought that as the UK is leaving the EU, their regulations don’t apply, but this isn’t the case. The UK will still be part of the European Union by the time the GDPR is in full force, and even after we leave the EU we still need to be able to work with them. Digital minister Matt Hancock said the GDPR should become part of UK law as it was a “decent piece of legislation”. He has emphasised the importance of uniform standards in order to maintain data exchanges with the likes of the EU and the US, and that the UK would meet the standards set out by the Union rather than asking them to meet ours.
For an in-depth guide on how to become GDPR compliant see the article below:
Words by Lauren