‘We’re all going to have to change how we think about data protection,’ - UK Information Commissioner Elizabeth Denham, January 2018.
Considering that the current directive dictating data privacy and protection laws across the EU is over 20 years out of date, it is fair to argue that the refreshed update to come into force later this month, General Data Protection Regulation (GDPR), is well overdue.
GDPR will change how businesses of all types process and handle our personal data, and try to address the growing concerns about how it is treated in the digital age, amid the rising threat of cyber-attacks. Although GDPR has been in the pipeline for over four years, many companies are expected to be caught out, and the new legislation is likely to reveal a lot about whether or not companies even understand the data they collect, and just how secure it is.
It will ultimately test a company’s ability to effectively process and handle our data in a secure manner, and how well they can demonstrate that to authorities that are running out of patience and consumers that are becoming increasingly anxious about their data.
What is GDPR and when will it be introduced?
GDPR is legislation regarding data privacy that comes into force in the EU on 25 May 2018. GDPR was approved by the EU Parliament in the middle of April to replace a previous directive covering data protection law.
GDPR can be regarded as an important update to previous laws that failed to address the challenges that technological developments have yielded have over recent decades, bringing data privacy legislation up to speed while ensuring that all EU member states remained aligned when it comes to data privacy law. The UK has chosen to adopt GDPR in full, even after Brexit, to ensure it remains aligned with EU laws after it leaves the bloc.
Although GDPR is focused on the digital side of data, it still covers paper documentation and goes beyond the data collected about customers, covering information about the likes of staff.
The ‘Tortoise and the Hare’ is a rather apt metaphor. Technology evolves at such a rapid pace that governments can barely keep up with the latest development before another one comes along - look at cryptocurrencies. But regulation eventually catches up and tries to get one step ahead of technology. Governments, making up for lost time, look to overhaul regulation rather than tweak it, and judge whether the industry’s interests are aligned with the public’s.
This is demonstrated by the amount of high-profile cyber-attacks in recent years. In the four years alone that it took GDPR to get through the EU Parliament, there was the likes of the WannaCry ransomware attack against computers around the world, and attacks on companies like TalkTalk, Sony, JPMorgan, Tesco and Home Depot, to name just a few.
What companies will be most affected by GDPR?
Although GDPR will become enforceable imminently it is more likely that its introduction will, in reality, be more gradual and that regulators will be more eager to ensure that companies are working toward compliance, rather than penalising them for every mistake – of which there will be many.
There are two primary types of companies targeted. The first are data controllers, which are companies that decide which data to collect and how to collect it. These are the companies that must justify why the data exists in the first place. The second are data processors, which process data on behalf of controllers.
It is clear who GDPR is aimed at and the initial pressure is likely to fall on the big players, those that have more of our personal data than any other company. However, the biggest casualties are more likely to be firms that collect and aggregate data for a living, as people flex their new control over their data and become more conscious of who has access to their data (and why). Many companies may look to bring data collection and analysis work in-house, as outsourcing becomes less practicable, which in turn would damage the availability of specialist skills some of these companies offer.
The trade-off between supplying your personal data in return for a service will grow. Companies looking to harvest and gain from your information while providing nothing in return will have a tough time adapting to the new law. Ironically, this would benefit those providing important services to the public in return for their personal data, like Alphabet and Facebook. Even if their own ability to target adverts is negatively impacted, they will prevail ahead of smaller competition, which will struggle to provide accurate services if they can’t secure the data they need under GDPR, giving the pair further headway in a market that they already dominate.
The fallout following the poorly-timed Cambridge Analytica scandal, combined with the introduction of GDPR will keep Facebook and Mark Zuckerberg well within the crosshairs of regulators on both side of the Atlantic. However, the likes of Alphabet, Microsoft, Apple and social media companies Twitter and SNAP are also likely to be among the first to receive a visit from regulators looking to test their compliance, and are likely to face the most scrutiny while being given the least leeway. Then there’s the big data firm like Intel, IBM, Oracle and HP Enterprise.
Learn more about whether Cambridge Analytica is a threat to Facebook’s shares and reputation
Facebook’s troubles also highlight the severe problems with how data is shared between companies, when one firm passes on data to a third party, or purchases data from a third party. Governments need to urgently address how companies trade our personal data with one another for their own gain, and much of GDPR’s success will predicate on how effective it is at tackling that.
It is important to remember that big tech would much rather work with governments to try to shape the regulation they will have to abide by, rather than fight against it and have no say in how their industry is governed. In turn, governments can be willing to let industry govern itself if it can do so effectively (much of big tech’s current operations involve largely unregulated activities), but have to take action should it prove industry can’t.
What’s different about GDPR compared to the previous directive?
‘GDPR makes its applicability very clear - it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not,’ – The European Union.
The foundations of GDPR remain the same as the previous directive, but include many substantial changes that will have a material impact on the digital economy.
The biggest issue that GDPR addresses is the ability for a company to operate in the EU but circumnavigate EU laws by being based elsewhere. The previous laws were unclear about where data was being processed and therefore what jurisdiction it fell under. This allowed a tech firm to operate in the EU but argue it processed the data somewhere else, like the US, and flout EU data laws, which has previously led to some high-profile court cases. However, GDPR will apply to all companies processing personal data in the region, regardless of where it is headquartered.
GDPR is significantly different to the previous directive in other ways, including:
- Penalties: companies in breach of GDPR can be fined up to a maximum of 4% of the annual revenue they generate globally, or 20 million euros (whichever is greater)
- Permission: companies must make terms and conditions simpler and secure consent from subjects using an ‘intelligible and easily accessible form’
- Breach notification: cyber-attacks that are likely to ‘result in a risk for the rights and freedoms of individuals’ must be reported within 72 hours and, when they discover a breach of GDPR, report it immediately and without delay
- Consumer access: subjects will have the right to access the data that companies have collected, and ask where it is stored and why they are keeping it
- Delete data on request: subjects can ask companies to delete data they have about them, or the ‘right to be forgotten’, and prevent that data from being shared with third parties
- Privacy by design: this means companies must take data protection into account when designing new systems, not after they have made them. This has been widely adopted already but is only formally coming into force under GDPR.
- Data protection officers: the largest controllers and processors will be appointed an officer that will directly liaise with the company about GDPR while reforming the way information must be logged and reported.
But what does this all mean for businesses? In a nutshell, companies have to firstly understand what data they have and where it is stored, then justify the reason they store it, before organising the data in such a manner that any data requests from the public or authorities can be swiftly handled. A tell-tale sign that a company is struggling to comply with GDPR will be any inability to deal with data requests.
Many companies will have to look beyond their own internal systems to truly ensure they are compliant, evaluating how data is shared with any external players like subcontractors or advertising partners. This area will also prove to be a big headache for the likes of cloud-computing companies that are built around data-sharing.
What fines could big tech firms face under the GDPR?
With firms facing fines of up to 4% of annual revenue generated globally for severe breaches of GDPR, the biggest companies in the tech space have a lot to lose if they fail to comply. Firms could see GDPR-related fines of the following based on their latest annual revenue figures: