GDPR – What now?

We wrote previously about the General Data Protection Regulation (GDPR), and what this ambitious new, legally binding and EU-wide privacy law means. It’s been years in the pipeline, and became law on 25 May, replacing the obsolete 1995 Data Protection Directive.

GDPR aims to regulate the way businesses handle data from EU-based customers. That extends, among other things, to the way data is collected, stored, kept secure and used on a daily basis.

Unless you don’t use email at all, you can hardly fail to have noticed the deluge of alerts from every organisation you’ve ever interacted with online, begging you to ‘click to stay in touch’ or informing you of a ‘changed privacy policy’. GDPR has become mainstream, sparking a host of social media gags, and was discussed on Jeremy Vine’s Radio 2 lunchtime show.

Indeed it’s one of the most talked-about pieces of EU legislation in recent history.

Meanwhile, meditation app Calm got BBC announcer Peter Jefferson, famous for his shipping forecasts, to narrate highlights as an adult lullaby.

But GDPR was no joke for tech giants Facebook, Google, Instagram and WhatsApp, who found themselves slapped with complaints within hours of GDPR becoming law, accused of forcing users to accept targeted advertising. Should the complaints be upheld, these websites may have to change the way they operate, and could face hefty fines. (Of 4% of annual global turnover, or €20m, whichever is greater, although the process of getting to that stage is a long, drawn-out one.)

In the event of a data breach, regulators must be informed within 72 hours. If you’re found to be non-compliant and have misused, lost, exploited or otherwise mishandled personal data, again there are stiff penalties. However, it’s just as important not be over-cautious, or to report any incidents that don’t constitute a data breach. There’s no need to live in fear about what you’re doing with data.

As with most major changes, GDPR has split opinion. Many are hailing the protection it will offer, and its return of power to the end user, while one lawyer compared it to a software upgrading from 1.0 to 2.0. For those who haven’t previously taken data protection seriously, it may be a stark wake-up call. Industry insiders also point to potential long-term gains for the UK’s economy, stressing that compliance doesn’t have to be financially ruinous.

A recent NetApp survey found that 44% of those questioned believed that GDPR could help them be more competitive, despite nearly two-thirds (61%) reporting not being ready with one of its key aspects – data anonymisation.

Equally, it’s a real opportunity to embrace transparency and support your brand by demonstrating trust and integrity around data.

Some smaller organisations, reports tech website ZDNet, have felt forced to cherry-pick those parts of GDPR they deem most important, since they’re struggling to get everything done. But no matter how prepared you are, you can’t afford complacency – you need to constantly be vigilant that you remain within the law as practices and technologies change.

Critics have also complained that the change is too burdensome, especially for smaller organisations.

Previously, we could only guess at the impact of GDPR. Now it’s arrived, what will it mean in practice? Will we really receive fewer emails, and will those we do receive actually be meaningful?

The short answer is that no one really knows. But what is certain is that May 25 was the start, not the end, of a new era of data privacy in which organisations must constantly reevaluate security and scrutinise the consequences for failure. The journey has only just begun. For it to work, the industry will have to change its mindset around data protection, while the law must be supported by a strong compliance and enforcement culture.

We know the issues involved may still seem bewildering at this stage. At Front Page Advantage, we can help – talk to us if you have any concerns.