For most organisations this will be the year they finally begin implementing comprehensive, well designed and documented, data privacy practices. The reason for this? The General Data Protection Regulation. 2016 started with most organisations having very little visibility of the GDPR and its potential impact. A small number of people in internal audit might have known that the European Union had been working for the best part of 8 years on drafts of a new regulation, but there was no firm guarantee that 2016 would be the year it was passed in to law (several other years had started with that expectation and failed!). As a result, there was no reason to brief wider organisation members of the impending changes. 2017 has started with many more people aware of the changes, including budget holders. And 2018 will begin with many organisations already compliant and anyone in the organisation with access to sensitive data will have to have been thoroughly trained on the key rights and guidelines of GDPR along with, importantly, how to report a breach. This in itself being key to compliance.
The regulation comes to replace the previous Data Protection Directive of 1995*. 1995 does not seem like a long time ago for an updated law. In the UK for instance, large swathes of currently applicable law date back tens or even hundreds of years. For example, it is illegal to die in the Houses of Parliament, apparently because the deceased would be eligible for a state funeral. The UK also still has a law from 1313 which makes it illegal to wear a suit of armour when entering parliament. For more on this subject, see: http://www.telegraph.co.uk/news/uknews/1568475/Ten-stupidest-laws-are-named.html
However, in the case of the Data Protection Directive of 1995, it is the subject which makes this law remarkably old. It was written before Google existed, not only before Trump had tweeted but before anyone had the means and before Facebook allowed people to dump their personal information on to the internet by the truck load.
At a high level, the GDPR applies to 'Data processors' and 'Data controllers' and governs how they must approach the sensitive personal data of 'Data Subjects'. The scope of what constitutes personal data has been widened to include IP addresses, biometric data, etc., but beyond that this part remains very much in line with what came before. The regulation lays out principles for data processing and defines the rights of the data subject. The data subject now has the right to know what data an organisation is storing of theirs and for what purpose. They can challenge the validity of storing such data if it seems excessive for the purpose provided, and they can request the removal of their data. (The 1995 Directive contained this provision but the onus was on the data subject to prove that the organisation no longer required their data.) This is very hard to do without any knowledge of their IT systems and business processes. With GDPR the organisation must remove the data or prove why they need to hold it. That need must be proportionate and lawful.
In the tough economic conditions of the last 8 years, many organisations knew they should do more on data protection, but there was no financially compelling reason to do so. In the UK, TalkTalk were fined £400k for a breach that could have been prevented if TalkTalk had taken basic steps to protect customers’ information. The fine was 80% of the maximum possible under UK law. Under the GDPR the maximum fine is raised to 4% of global turnover, or €20M, whichever is greater. 80% of that limit for TalkTalk would have been approximately £70M, a sum which would put many organisations the size of TalkTalk out of business. The rights relating to the GDPR are based on the data subject being a European Citizen, rather than where the data is stored or the company registered. For example, if I travel to the US and hire a car I could then request information on how my data is being stored and will be used, and request removal of that data if I am not satisfied. If the hire company blankly refuse to provide information and it is later proven their protection of my data was lax, could that be a six digit fine? How this will be received by countries outside the European Union will be very interesting in the current global trade climate.
For many years, consumer data has been seen as a great asset. Companies like Google store massive amounts without necessarily having a reason to do so at the time. Will that trend reverse in 2017? Will what was once an asset now be seen as a liability?
Organisations that know they should do better, but push the data privacy subject to the back of the queue for budget reasons, will no longer be tolerated. Data protection must be by default and by design from the 25th May 2018 onwards, and organisations must have the documentation to prove that it is. That means a lot of new business processes and IT transformation projects. New systems, new software but most importantly new attitudes to our data. At the end of the day it is our data and the law will soon reflect that.
* Which begs the question, “What is the difference between a Directive and a Regulation?” The key difference is that the former requires each member state to define their own laws to meet the needs of the directive, whereas the latter is itself a law that applies to all member states directly, with sub-articles which may have local variations as required.