The General Data Protection Regulation (GDPR), an EU-wide law, has applied since 25th May 2018 and was implemented in the UK through the Data Protection Act 2018. The regulation was announced on 27th April 2016, allowing data controllers and organisations over two years to ensure compliance.
Whilst the GDPR did not apply to businesses until the 25th May 2018, it technically came into force on 26th May 2016. It was at this point that data controllers started to put strategies in place to become GDPR compliant. Accordingly, by 25th May 2018, companies were expected to be compliant and could be prosecuted for non-compliance from this date.
Prior to the introduction of the GDPR, UK data protection policies were regulated by the Data Protection Act (DPA) 1998. Thus was the UK's implementation of the EU's Data Protection Directive 1995 (just like the DPA 2018 is the UK implementation of the GDPR).
Why Was the GDPR Adopted?
The EU's Data Protection Directive 1995 led to each member state implementing is own national law. Whilst they all strived towards the same objectives, they nevertheless differed slightly in their approach to handling personal data. These mismatches slowed down and inhibited free movement of data across borders within the EU. Following implementation of the GDPR, all member states will have to adhere to the same rules, and data can be freely transferred around the EU whilst still being protected and secured under GDPR directives. This facilitates free and easy data flow which benefits individuals and organisations around the EU.
The DPA 1998 was passed before the birth of social media and other digital technologies we use much more frequently in the new Millennium. With such vast quantities of digital data being collected and stored, new legislation was required to address how this could and should be processed to maintain privacy. A public example of the necessity for raised awareness about personal data protection was the Facebook/ Cambridge Analytica scandal in which the sensitive personal data of 87 million Facebook users was inappropriately harvested and used for political gain by Cambridge Analytica. Data included public profile, page likes, birth-dates and address information. Some users also their news feed, timeline and messages infiltrated.
Cambridge Analytica used the information to compile psychographical profiles of Facebook users and then target them with advertisements. It is thought that the data was used to influence the 2016 US election in Trump's favour, as well as other political events. The headlines resulted in public outcry for greater consumer protection whilst using social media and an increased appreciation for data privacy. Facebook stock prices fell dramatically as the breach hit news headlines worldwide, illustrating the blow Facebook's reputation took.
Why is it Important to Adopt GDPR Best Practices?
As of 25th May 2018, the EU GDPR became a legal requirement. Compliance is therefore not a choice, but an obligation. GDPR is both beneficial for data subjects and the organisations that process their data.
Data breaches can badly affect data subjects, leading to emotional, physical and material damage, as well as putting them at increased risk of identity fraud. Conversely, data breaches can have crippling effects on the responsible organisation. The Information Commissioner's Office (ICO) can issue fines up to €20 million or 4% of a business's annual turnover, whichever is greater. Additionally, and as illustrated by the Facebook scandal, reputational damage can be as catastrophic as any monetary penalty. Data protection training and up-to-date knowledge of legislation can help mitigate these risks and protect both your business and those whose information it contains.