In that ridiculous, stupid, constitutionally redundant, binary, idiotic Cameron referendum, I voted Leave. I’m no fan of the EU or its institutions, but that was never to say that everything it does is wrong. I firmly believe that the UK should leave it, and I have never wavered on that enough to change my mind, but there are doubtless some good things about it.
I’ve no intention to rerun the arguments, or provide a defence of my position here – I did all that at the time and it’s become intensely boring. Being attacked for it is no fun, especially from the side of the political divide that is supposed to be nice, tolerant and espousing a ‘kinder, gentler politics’. But that’s what happens. You learn to live with it.
This post is to praise one of the truly great things the EU has pursued – the ‘General Data Protection Regulation‘, or ‘GDPR’.
GDPR has been variously described as ‘the Data Protection Act on steroids‘, ‘severe‘ and ‘the biggest change to the regulatory landscape of data privacy’. It is a behemoth of a piece of legislation and has put the proverbial willies up everyone who does anything with personal data.
Ironically, the one thing that I think is great about the EU is the one thing that my lefty, Remainer friends are much more flustered about. It hasn’t gone down too well in my industry, where it is causing quite the headache for all involved or affected. It means a huge change in thinking, a completely different approach to data collection and retention and, most importantly of all, puts control of personal data firmly back in the hands of individuals.
To give a quick overview to what is an enormous, technically complex law, it allows individuals to gain control over their data and what happens with it. It may sound dry and boring, but I can assure you, it is an important step in the right direction.
Here is a list of some of the key points:
- It applies to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location.
- Under GDPR, organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20million (whichever is greater).
- Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
- Breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach.
- Data subjects will have the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
- The right to be forgotten – this entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
That’s right – these guys aren’t messing around.
As I mentioned before, most people working in my industry (digital) are in a right flap about this. There are so many practices that are either going to have to stop, or be changed radically. Retro-fitting of websites, apps and online portals with new tools to ensure compliance with GDPR is happening at the moment (and if it isn’t, they’ll be in trouble).
But to be honest, whilst everyone loses their heads, I’m absolutely loving it. This is what needs to start happening. It has been 4 years in the making and, in my opinion, it’s all been worth it. Yes, we’re all going to have to make some changes. But these changes are intended to level the playing field and tip the balance back away from large, powerful, secretive (not any of my clients, obviously), companies and towards individuals. We simply cannot continue the way we have been – technological advancement has outstripped legislation at a pace that has allowed all of us to be swept up by it all, without adequate protection.
We have just had the result of a Guardian investigation that has provided revelations into ‘Cambridge Analytica’ – it’s still going, and it looks like it will be one of the biggest scandals the digital world has ever seen. This should make people wake up and realise just what happens with their data. That old adage ‘if you’re getting something for free, then you’re the product’ has never been more true. We’ve all known that our data is being used, but the extent of it should worry us.
Credit where it is due – the EU deserves a lot of praise for this legislation. It is comprehensive, meaningful and serious. It will be in force before we officially withdraw from the Union, and frankly it won’t make much difference anyway as the regulations cover any data held about EU citizens. America and Japan will have to abide by this as much as we do if they’re holding or processing personal data about EU citizens.
If you think it sounds draconian, consider this – you will be put in the driving seat, and large companies are scared of it. That alone should give you an indication that we’re finally heading in the right direction.