INSUBCONTINENT EXCLUSIVE:
Image caption
Our personal data is shared with and processed by dozens of organisations every day
Next
month a new law will make the consequences of failing to protect personal data for banks and others far more serious.The General Data
Protection Regulation (GDPR), which comes into force on 25 May, will be the biggest shake-up to data privacy in 20 years.A slew of recent
high-profile breaches has brought the issue of data security to public attention
Claims surfaced last month that the political consultancy Cambridge Analytica used data harvested from millions of Facebook users without
their consent.It has been a wake-up call for data security
People are increasingly realising that their personal data is not just valuable to them, but hugely valuable to others.The growth of
technology and electronic communication means that every day, almost every hour, we share our personal data with a huge number of
organisations including shops, hospitals, banks and charities
But that data often ends up in the hands of marketing companies, analysts and fraudsters
Now the law on data protection is about to catch up with technological changes
"GDPR is designed and intended to embody a data protection regime fit for the modern digital age," explained Anya Proops QC, a specialist
in data protection law."It seeks to put power back in the hands of individuals by forcing those who process our data to be both more
transparent about their processing activities and responsive to demands for privacy-invasive processing to be curtailed." Among the many
changes are measures that make it:quicker and cheaper to find out what data an organisation holds on youmandatory to report data security
to respect our data privacy rights," said Ms Proops
SecurityOrganisations will have to review their systems and the way people work
They will have to focus on technical security, including the use of encryption and the robust application of security patches.But they will
also have to use data minimisation techniques, including pseudonymisation - a technique that replaces some identifiers with fictitious
entries to protect people's privacy.Ensuring that staff members are reliable will also be a priority
Taking personal data "off site" on mobile devices and memory sticks poses particular risks
A failure to ensure that such devices are encrypted can immediately expose organisations to a fine
Unwanted emailsWe've all had those unwanted emails, annoying targeted adverts, and phone calls from a total stranger who somehow knows that
we have been involved in a car accident - when we have no recollection of it at all
These come from companies who have managed to get hold of our personal data without our knowledge or consent.It's long been unlawful for
such communications to be sent without our consent
But GDPR significantly tightens up the rules.Consent must be freely given, specific, informed and unambiguous
It cannot be buried in lengthy terms and conditions
That makes it much harder for marketers to establish that they have the requisite permissions, which is why your inbox has probably been
littered recently with emails asking for your consent to continue receiving messages.Oh, and it must be as easy to withdraw consent as it is
to give it.Conflicting adviceThe strengthened "consent" is good news for consumers, but preparing for GDPR can be difficult and confusing
for businesses.Emma Heathcote-James runs a small company making natural soaps
Image caption
Small-business owner Emma Heathcote-James has been given conflicting advice about how to be
GDPR-compliant
"One consultant told us if we'd emailed people within the last six months we're absolutely fine to contact
them as long as it's not subscribed and it was clear they could have had the option to opt out," she recalled."Another consultant said, 'No,
no - that's absolutely wrong.'" Businesses with large client lists run the risk that many customers will ignore their requests and their
client lists will shrink accordingly.Data protectorsMost public authorities and organisations that monitor and track behaviour must appoint
a data protection officer
DPOs' duties will include monitoring compliance with the law, training staff and conducting internal audits
They will also be the first point of contact for supervisory authorities and for individuals whose data is processed, including customers
and employees.They must be given the resources to do their job, cannot be dismissed for doing it, and must have direct access to the highest
level of management.Message to self, don't mess with a DPO.Policing the lawThe watchdog responsible for all this in the UK will be
information commissioner Elizabeth Denham."We will have more powers to stop companies processing data, but we only take action where there
has been serious and sustained harm to individuals," she explained."What this new fining power gives us is the ability to go after larger,
companies will need time to become fully compliant."The first thing we are going to look at is, have they taken steps, have they taken
action to undertake the new compliance regime," she added."Do they have a commitment to the regime "We're not going to be looking at
perfection, we're going to be looking for commitment."Large fines will be reserved for the most serious cases, she said, when a company
refuses to comply voluntarily.Overall effectCompanies will be obligated to clearly inform individuals about why they are collecting their
personal data, how it is going to be used and with whom it is going to be shared.All of which means that the GDPR should make our personal
data safer and less easily obtained by those we don't want to have it
But there will be teething pains and some organisations that do not adapt in time will suffer.And forget the idea that this could all
become moot post-Brexit.Although GDPR is a piece of EU law, the government has made it clear that the UK will remain signed up.There are
probably two reasons for this: first, if the UK watered down its data protection laws after Brexit, this might result in other Europeans
treating the country as a pariah state, which would have an impact on trade
Second, in the current privacy-preoccupied era, there is unlikely to be much public appetite to dilute GDPR's protections.
