Living in an increasingly digital world has brought about undeniable changes to our lives. One of the consequences of this is the amount of data we all share, including many of our personal details. Medical professionals, retailers, insurers and numerous other service providers all hold personal data, some of which is highly sensitive.
However, the way our data is used isn’t always clear and nor can we be sure it is being kept secure. The new General Data Protection Regulation (GDPR) the EU is introducing next May aims to tackle this by creating new rules to keep data safe. It will also give people greater control over how their personal data is used.
While many organisations are now aware of the legislation, they are not as clear about the precise impact it will have on them and what new data practices they need to adopt. What’s more, there is no shortage of conjecture on the subject. So, Sam Reed, a certified GDPR Practitioner and the Chief Technology Officer at AirIT, is going to clarify the truth behind some of the myths circulating.
Myth - It’s not relevant to the UK because of Brexit
Reality - Because the legislation is being introduced while Brexit is being negotiated, some believe it won’t apply to the UK. Others believe it will only apply until March 2019, when we are due to leave the EU.
In fact, the legislation will apply to anyone who offers services to EU citizens, regardless of where you are based. Even if you don’t handle EU citizen’s data, you will still have to adhere to new data protection laws being introduced to the UK. The government says the proposed changes, which have already been detailed in a Data Protection Bill, will incorporate GDPR’s rules. They are doing this to help Britain prepare for a successful Brexit.
The new UK law will replace the 1998 Data Protection Act and aims to make the UK fit for the digital age.
Myth - There isn’t enough clear information on consent available to start preparing
Reality
One of the changes GDPR will make is raising the standards for getting consent to use people’s data.
Some organisations believe they should wait for the Information Comissioner’s Office to issue their final guidance on consent before they make any changes but this isn’t necessary.
The ICO says it is waiting for Europe-wide consent guidelines to be published, so they can offer consistent guidance. In the meantime, they have given draft consent guidance which they don’t expect to change much when they publish the formal guidance.
The guidance given includes obtaining explicit consent, naming third parties who will rely on the consent, and making it easy for people to withdraw consent. An important point to clarify is that you don’t always need consent. For example, banks sharing data for fraud protection, or local authorities processing council tax information, can use a different lawful basis to consent.
Myth - GDPR is going to revolutionise the way we handle and use data
Reality
There is currently so much hype surrounding GDPR, it is easy to believe it is going to completely change how we use data. But the ICO is keen to point out the new law is “an evolution not a revolution”.
The new law will keep many of the same principles as the current data laws and simply build on these.
Those who follow the current data protection laws are already likely to be in a good place. They now simply need to review and update their current procedures, which won’t just keep them on the right side of the new law but will benefit them too.