It has been nearly 20 years since the UK’s data protection laws were last updated, in the form of the Data Protection Act 1998. That legislation was intended to bring UK law into line with the EU’s Data Protection Directive, which was introduced in 1995.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Since then, our mobile phones have become miniature computers and we have witnessed the proliferation of internet devices, the birth of online retail and the growth of entirely new industries based on the use of our personal data.
With this in mind, the General Data Protection Regulation (GDPR) is intended to bring the data protection laws for EU member states into the 21st century. The GDPR can be broadly broken down into these three categories:
- Return control of personal data to users.
- Simplify the regulatory environment.
- Appoint a data protection officer where data processing is carried out.
Data processing is a somewhat nebulous term – it might sound like data harvesting, but the reality is far different. “Data processing is pretty much anything to do with the use of data,” says Phil Gorsky, a solicitor and data protection specialist with Blacks Solicitors. “You can process data by having it, giving it to somebody, or receiving it. It is an extremely broad definition.”
Many companies have data processing as part of their day-to-day operations, and so will need to appoint a data protection officer (DPO)
Article 37 of the GDPR requires controllers and processors of personal information to designate a data protection officer when the processing is carried out by a public authority or when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”.
This means that relatively small companies could be required to appoint a DPO if they meet the requirements, while some large organisations will not have to bother because they do not.
Data protection officers
Data protection officers will be responsible for managing data security (including cyber attacks) and other critical business continuity issues specific to the holding and processing of personal data.
Although there have been no definitive guidelines on what the minimum qualifications or experience for a DPO should be, the regulation states that he or she should be “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks”.
Some companies are therefore looking for candidates with a degree in IT security for the data protection officer role, while others are seeking more specific qualifications. “An important credential would be the certified information privacy professional designation granted by the International Association of Privacy Professionals,” says Alexander Moiseev, European managing director for security firm Kaspersky Lab.
Shane Murphy, TechUK
However, the data protection officer need not necessarily be an employee. Some companies, especially those that already enlist third-party consultants to assist with existing local data protection requirements, may choose to extend the duties of these consultants.
The final decision depends on whether it is more cost-effective to contract third-party consultants to manage data privacy requirements or to employ a data protection officer directly, and this can be decided only after a complete data audit has been carried out.
Research by the UK’s Ministry of Justice estimated that it would cost nearly £320m for UK business to meet the requirements of this regulation. Similarly, a report by the Information Commissioner’s Office (ICO) estimates that it could cost small to medium-sized companies that use direct marketing an additional £76,000 a year, with the cost of training marketing staff being about £7,600.
Online shopping and loyalty cards
Retail companies will need to drastically rethink how they use the data they derive from their online shopping and loyalty cards. Any data processing that takes place using this information will need to be fully explained to their users in a clear and concise format, with users needing to give their consent before the data can be processed.
This also applies to fitness applications, where users submit details about their daily dietary and exercise habits. These companies will soon need to be far more explicit in what the data is subsequently used for and to give notice as and when it is used by third-party applications.
“[Loyalty cards and fitness apps] are currently subject to the existing data protection regimes,” says Gorsky. “What [the regulation] is going to mean, though, is that companies that deal with this sort of data, or are involved with this field, are going to be required to do a hell of a lot more to remain compliant.”
Shane Murphy, policy manager at TechUK, agrees that customer-facing companies will affected the most. “Many of these companies will have to update the consent agreement with their customers in what can be a time-consuming and costly exercise,” he says. “If companies are unable to complete this process, then chunks of their business-critical data become unusable.”
Fintech firms affected
Financial technology companies could also be heavily affected, says Murphy. “The new rules for processing could be problematic for many fintech companies. It will make it more difficult for companies to offer some personalised financial insurance services to consumers.”
Given the sensitive nature of the pharmaceutical industry, it already employs stringent privacy measures to protect its customers. “We already work within, and in some cases exceed, current data protection requirements,” says Paula Brown, compliance manager for healthcare service provider Celesio UK.
“We don’t anticipate that it will have too much impact on the day-to-day clinical and retail operations as the changes will mostly be happening in the background.”
Some companies see the new regulation as an opportunity to revise their existing privacy policies. “We will be performing a full audit of our European operations in relation to data storage, transmission and processing, using this as a basis to better understand what else needs to be done in the coming months,” says Moiseev.
Despite the potential increase in headcount to accommodate a data protection officer, Kaspersky believes the GDPR will ultimately reduce costs. “We believe it will reduce administrative costs and avoid a situation where conflicting national data protection rules might disrupt the cross-border exchange of data,” says Moiseev.
“The UK’s approach to cyber security, especially in relation to the reporting of response to incidents, continues to suffer from sub-optimal co-ordination,” says Hugo Rosemont, crime and security policy adviser for the British Retail Consortium.
Read more about the GDPR
- The staffing impact of the GDPR will be huge, with 28,000 data protection officers (DPOs) in Europe alone, says the International Association of Privacy Professionals.
- The European General Data Protection Regulation (GDPR) is serious legislation that needs to be taken seriously by business, says UK information commissioner Christopher Graham.
- EU data protection rules affect everyone, say legal experts.
- More than half of European companies do not know about the legislation planned to unify data protection laws.
Even companies that are not directly affected by the GDPR may still feel the effects of the regulation, such as Maddison, a small product design consultancy that operates in the medical and life science sectors. “The GDPR makes our clients a little bit nervous as to how they are going to handle the data for their clients,” says managing director Vincent Ellis. “They are stepping forward cautiously and taking advice about how to navigate through this regulation.”
Maddison will need to assign a data protection officer to comply with the regulation. Given the company’s small size, these duties will be delegated to an existing member of staff. However, this means that this employee will have less time to focus on their primary role.
“It will mean a reduction in their main capacity, as it would take up a portion of a person’s time,” says Ellis.
Some companies have still not begun to act on this legislation, which leaves them at risk of waiting too long before preparing, and potentially not being fully compliant with the regulation when it comes into force.
Assessing the impact
Other companies, such as Celesio UK, have said they are reviewing the GDPR and assessing what its impact will be, to determine how best to move forward.
Although companies have until 25 May 2018 to comply with the GDPR, it remains to be seen how closely firms will be monitored to ensure they remain compliant and how strictly the rules will be enforced after that date. “There is a difference between what the law says on paper and how it is enforced,” says Gorsky.
Ultimately, the sooner companies start preparing for when the GDPR comes into force, the better they will be able to minimise the risk of finding themselves at odds with the new rules and open to hefty fines.