Mark Knight, Director of Product, provides an early predicition for what to expect when GDPR comes into force in May, 2018.
Here at Grosvenor Technology, we’re always examining best practice, new standards and the latest regulations to ensure we’re one step ahead of our customers’ needs and expectations.
One example is the forthcoming General Data Protection Regulation (GDPR), that was adopted by the European Union in April 2016 and becomes effective across the EU from May 2018. As an EU-wide regulation, it will apply automatically to all member states. However, since the UK intends to leave the European Union, the British government is currently introducing complementary legislation in the form of a new Data Protection Bill that is before parliament. This will ensure that post-Brexit the UK’s data protection laws will remain compatible with (and therefore at least as strict) as EU law. In other words, Brexit doesn’t mean the UK can ignore the GDPR!
The broad purpose of the GDPR is to ensure that people are able to exercise control over their personal data. Personal data is classified into two types:
- Personal Data: Any information concerning an identified or identifiable person. This may include a name, mail address, identification number, online identifier, IP Address or RF tag.
- Sensitive Personal Data: A higher tier of information that includes biometric data such as fingerprints or photographs, when for the purpose of uniquely identifying an individual.
As a general principle, individuals must give consent before their data can be used and individuals can also withdraw consent at any time. Organisations must implement appropriate technical and organisational measures to protect personal data and in the event of a breach, they have obligations to notify both the regulator and the individual within strict time limits.
Organisations that play fast and loose with personal data could be guilty of a criminal offence and within the UK, the Information Commissioner will have the ability to levy fines up to the greater of €20 million or 4% of a company’s annual worldwide turnover. That’s an increase from a maximum of £0.5 million under the pre-GDPR regime. Data subjects may also be eligible to receive compensation.
Despite some uncertainties over the interpretation of the new law, organisations throughout Europe are racing to ensure compliance to avoid potentially limitless penalties. A myriad of procedures, systems and networks need to be reviewed and many will need to be upgraded.
We’re just a few months away from the annual flurry of predictions for 2018; so please indulge me with a quick prophecy. Many organisations that own and manage their information processing systems will shortly discover they lack the resources and expert knowledge needed to audit and update their infrastructure to be GDPR compliant. In 2018, the preferred solution will be to outsource and centralise the processing of personal data to specialist service providers. The economic, compliance and security arguments for keeping sensitive data processing “on-premise” will falter.
Some of our customers have already started the GDPR journey. Of course, there will always be those who choose to stay on-premise; perhaps because they have unique requirements, dedicated compliance teams or great partners. That’s one reason why we’re investing in solutions that can support both deployment models: so our customers are always free to make that choice.