GDPR: Four years on
It’s been four years since the introduction of the General Data Protection Regulation (GDPR), the landmark law governing how organizations operating within the EU use, process, and store consumers’ personal data.
The revolutionary regulation has become one of the world's strictest privacy and security laws. Since its inception, it has seen hefty fines imposed on large and small companies who have been non-compliant, with high-profile cases including British Airways, Marriott Hotels and Amazon.
The purpose of GDPR is to provide a set of standardized data protection laws across all member countries. This makes it easier for EU citizens to understand how their data is being used and raise any complaints, even if they are not in the country where it’s located.
Since its inception, it has prompted significant global improvements in the governance, monitoring, awareness, and strategic decision-making regarding the use of consumer data. Not only that, but GDPR legislation has pushed the topic of data privacy to the forefront, with a whole host of other countries also stepping up their data privacy laws.
For example, following its departure from the EU, the UK recently announced a new Data Reform Bill. The bill seeks to modernize the UK Information Commissioner’s Office (ICO) by providing it with the power to take 'stronger action' against businesses that breach data rules while also requiring the ICO to be accountable to Parliament and the public.
With the ramifications of poor data privacy heightening across the globe, understanding the fundamental principles of good compliance is critical.
The Seven GDPR principles for organizations
Organizations cannot underestimate the importance of data compliance in the current climate. However, while most will be acutely aware of the penalties for non-compliance and the importance of GDPR, many still find the rules tricky and complex to navigate.
In essence, GDPR sets out seven principles for the lawful processing of personal data, including the collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure, or destruction of personal data. The principles are set out right at the start of the legislation and inform everything that follows. They don’t give hard and fast rules but embody the spirit of the general data protection regime with minimal exceptions. The seven principles include:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
Compliance with the spirit of these key principles is a fundamental building block for good data protection practice. Failure to comply with the principles leaves organizations open to substantial fines up to £17.5 million, or four per cent of total worldwide annual turnover, whichever is higher.
A straightforward way to ensure that an organization stays compliant is to review its data protection practices frequently. The below GDPR checklist has proven an invaluable resource for many struggling to navigate the regulation. It’s worth taking the time every six months to ask:
- Have you clarified that your organization is taking GDPR seriously?
Awareness is key. Ensure your team understands your expectations regarding compliance by educating the entire organization about procedural and operational directives.
- Have you suspended all non-compliant data collection?
The answer at this point should be a resounding "yes." However, it's also essential to ensure that your organization puts policies and procedures in place, enabling the acquisition of legitimate consent -- wherever and whenever data is collected.
- Do you identify and log all current data?
Implementing genuinely effective data handling and storage procedures is impossible without understanding what data you have collected from individuals. Regular audits of any collected data are vital for a holistic understanding.
- Do you continuously review your data practices?
Reviewing data practices regularly is essential for ensuring continued compliance. It’s important to reflect on whether current governance practices are sufficient to comply with GDPR. Understanding overseas movement of data to ensure storage and processing remains on the right side of the law is worth paying close attention to.
- Have you clearly communicated your intentions to your employees and customers?
Create and update your organization's literature to clearly communicate the rights of individuals when it comes to personal data, taking every opportunity to reiterate your commitment to protecting personal data.
- Do you have a data protection officer (DPO)?
Who is your DPO? Every organization should appoint someone responsible for ensuring you are correctly applying relevant laws protecting individuals’ personal data.
GDPR and the future
Undoubtedly, GDPR has been a ground-breaking law, revolutionizing how we all think about data. However, four years on and still often considered an afterthought, it's crucial that organizations push data protection higher up the corporate agenda. After all, GDPR has empowered the public, improved our trust in the emerging digital economy and streamlined data protection across the EU (and effectively the world), meaning goods and services now flow more freely, and confidence between organizations and the public has increased.
Image credit: Nikola Stanisic / Shutterstock
Andy Nickolls is Director of Compliance Solutions, EMEA at Skillsoft