Why GDPR?
In yesterday’s post What Not To Do When It Comes To GDPR I outlined the confusion that the GDPR laws have spawned. Understanding why the GDPR rules were introduced, and what they are aiming to achieve will help in complying with them.
GDPR is the first wholescale attempt to tackle the many privacy issues and risks that arise from the processing powers of modern technologies and the internet. Protecting people’s personal data is a fundamental human right and is enshrined in the law.
As business owners with access to other people’s information we have responsibilities to support those rights. The old data protection laws were introduced at a time when the world was a very different place. They pre-dated the internet. Google had only just been founded and it was another 7 years before the iPhone was released.
GDPR addresses a new world where social media, cloud technologies, and apps often require access to our location, images, emails and other personal information. All of this means that behind the scenes our “personal data” is being processed and is forming part of massive, and ever-growing datasets. This in turn has led to the development of other technologies with names like big data and artificial intelligence (AI), which have major implications for data protection law.
The new technologies provide such extensive abilities for businesses to profile us and use data about us in ways we may not even be able to imagine, that if things continued unchecked by legislation our privacy would be seriously endangered. It’s worth watching the Black Mirror TV films to realise how important privacy is. It shouldn’t be taken for granted.
Terms and Conditions
It’s true that nobody reads terms and conditions when they want to use a new app or useful tool. The upshot is that we tend to agree to all sorts of conditions without even being aware what we’ve signed up for. However, that’s not because we don’t care about our data. It’s because we assume there is no alternative. The reason we don’t read terms before we give consent to use of our information is that we often don’t have time, and want to avail ourselves of the services and tools on offer.
The GDPR regulations are designed to ultimately enable us to get access to products and services without giving away so much of our data. GDPR changes the existing scenario by ensuring we become better informed about the implications on the one hand, and are given real choices on the other.
For example, the regulations impose requirements on tech companies to educate us and to design their platforms with privacy considerations in mind. This means a “take it or leave it” stance to accessing our information in return for letting us use an app is unlikely be the prevailing attitude of future apps.
The legislation has teeth. There are eye watering fines for companies that ignore GDPR, which will have even the richest of them pay attention. All of us need to minimise the data we collect to what is really needed.
I’ve sometimes wondered whether some ecommerce sites really need to take my date of birth when all I’m doing is buying an item of clothing and paying by credit card or paypal. Why ask for my date of birth during the registration process? I used to abandon my shopping if a site asked for my date of birth, but then as more and more of them did so, I reluctantly gave them this information. But it didn’t mean I was happy to share this data.
GDPR discourages taking more information than necessary for the product or service to be delivered. By reducing the information we must give when signing up with a new provider we will be able to minimise the quantity of data that is collected about us. Data minimisation is an important GDPR principle.
GDPR Will Be Even More Important After 25 May
GDPR is no Y2000 or deadline driven momentum which will go away once we pass 25 May. Far from it.
It’s worth mentioning here that the UK is firmly committed to complying with GDPR long term so Brexit will not affect the applicability of GDPR to UK businesses. Even organisations outside the EEA are realising the implications GDPR has on them (because they process EU individuals’ personal data) so they’re busy making changes to their platforms to avoid being locked out of the EU market. They have little choice but to comply with the EU’s GDPR laws and nor have you.
Although there are powers to impose hefty fines and administrative penalties, the ICO has been at pains to let it be known that fines are not going to be their first line of attack. Instead they want to encourage and educate so that all businesses become aware of the new laws and implement necessary changes.
Work Towards Compliance Now
Still that doesn’t mean the ICO’s tolerant stance is condoning those business that are taking no action, and simply ignoring compliance with GDPR.
Coming to the attention of the regulator is never desirable, as it could take up time and resources you may not have, and end up costing you a lot more money as a result. Far easier to take stock now and deal with it, and get peace of mind that you’re on your way to complying with GDPR. What’s the point of delaying?
25 May will be just the beginning of a sea change in the way businesses manage and process data. GDPR is designed to make us all far more responsible and thoughtful about the data we hold. There will be a gradual cultural shift such as occurred with stop smoking campaigns, or seat belt wearing, or not drinking and driving. Our children and grandchildren will become savvy about their data, and will use the available controls to protect their data and minimise what they give access to.
GDPR Is Overwhelming
I’m not going to try to minimise it and tell you that complying with GDPR will be simple. The truth is that GDPR is all encompassing, impacting so many different areas of a business that it can be quite overwhelming for businesses. Business owners are already time poor and stretched thin. Taking on the onerous obligations of GDPR on top of managing a business is no mean feat. However, it is a legal requirement to comply. Also, it does present a chance to run a better business.
I’m confident that businesses that adopt the right approach and tackle GDPR by putting in place the right systems and procedures will improve their businesses in the process. They will also find it easier to work towards compliance on an ongoing basis ensuring that GDPR principles become second nature to them.
So, I would urge you to take the plunge and embrace GDPR, as you do so many other areas of your business. Begin to understand your obligations so you can put in place the steps to take responsibility for the data you’re handling.
Once you’ve set your strategy, including for matters like marketing, and drafted your GDPR compliant Privacy Notice you’ll need to send it to your clients and subscribers and add it to your website. Your data subjects have the right to know how you collect and process their personal data, for what purposes you use their data, the legal grounds of processing such data, and how you keep their data secure, as well as their rights in relation to such data. That’s what the new style Privacy Notice details.
In tomorrow’s blog Quick GDPR Compliance Plan we’ll look at tactical seps to complying with GDPR.