By now, you’ve almost certainly heard people talking about GDPR.
The General Data Protection Regulation is a European Union policy designed to defend consumer data, and ensure personal details aren’t permanently stored in corporate databases.
And even though the UK probably won’t be in the EU for much longer, a forthcoming Data Protection Bill will replicate GDPR and ensure its regulations impact upon us in the future.
Indeed, in many respects, it’s already impacted on us.
You’ve probably received a number of emails recently from firms you’ve previously bought from or registered your details with, asking you to confirm you’re happy to hear from them.
For many people, this has been the most visible impact of GDPR to date.
But with the new EU-wide regulation coming into effect on Monday the 25th of May, you’re going to be hearing a lot more about this regulatory change in the coming weeks and months.
Why is additional regulation necessary?
The simple answer is because domestic and international laws haven’t kept pace with the seismic changes in society, particularly regarding the internet and social media.
In the UK, our legal system still relies heavily on the 1998 Data Protection Act, which was written in an age when Snake was seen as a cutting-edge mobile phone game.
The DPA couldn’t possibly have anticipated the advent of cloud computing, smartphone apps or social media.
And as the recent Cambridge Analytica scandal highlighted, a lack of regulation has enabled bad practice to flourish throughout digital media platforms and fledgling industries.
Consumers are increasingly (if belatedly) waking up to the realisation that information provided to companies is stored and used in ways they don’t know about – or understand.
And in many cases, there’s been little accountability when things went wrong.
Yahoo failed to declare data breaches in 2013 and 2014 that affected three billion accounts.
It only admitted what had happened in 2016, when press stories revealed personal data belonging to 200 million Yahoo customers was being marketed to criminals on the dark web.
With data concerns in the news again, a recent report suggested 82 per cent of European consumers plan to view, limit or erase information companies have retained about them.
How will it work in practice?
GDPR combines attempts to bolster data protection standards with a commitment to inform people about where, how and why their information is being retained.
It doesn’t change how we use the internet or which web browser we use, so it’ll be business as usual in terms of online gaming, ecommerce and social media.
Even so, those ‘important update’ emails you’ve been receiving recently are the tip of a legislative iceberg, which companies around the world are attempting to navigate past.
From May 25th, anyone responsible for ‘controlling’ or ‘processing’ data will have to abide by GDPR’s rules on lawful, transparent and specific use of personal data.
This could be anything from IP addresses to DNA, or from political opinions to ethnicity.
Opt-in policies for emails and marketing databases will have to be unambiguously worded, eliminating those endless boxes of small print above a luminous “I agree” button.
Jargon-free English will make it easier to see what you’re signing up for, and apathy won’t be taken as tacit approval any more.
What rights do I have as a consumer?
Anyone holding your information must honour any requests to reveal how much data they hold and what they’re doing with it – akin to a Freedom of Information request.
More significantly, you have the right to be forgotten unless there’s a strong case for your request being rejected (such as a legal requirement).
You can withdraw consent for your data to be stored at any time, and the company must delete any information they hold.
There will doubtlessly be protracted legal arguments about whether the public sector’s rights and obligations regarding personal data hold supremacy over GDPR, or vice versa.
It’s also safe to assume IT departments will be swamped with queries from the 25th onwards.
There will probably be delays as new systems are rolled out for identifying what information a particular business holds on file for each client.
What happens if something goes wrong?
Companies suffering a data breach have 72 hours to inform the UK’s Information Commissioner’s Office about what’s happened, and what’s being done in response.
Failure to respond within three days may trigger a €10 million fine, and failing to follow data processing rules could incur a penalty of €20 million (or four per cent of annual turnover).
That should prevent any more Yahoo scenarios in future, though it will also shine a harsh light on the many small-scale or low-level data breaches that weren’t previously publicised.