For those who don’t know about GDPR, it stands for the General Data Protection Regulation, and is a new set of rules passed by the European Union which aim to reform the out-dated and inconsistent EU Data Protection Directive. The GDPR will come into effect from May 2018 and will be applicable across all 28 EU member states.
However, for those of you that believe Brexit means you won’t be affected, it doesn’t matter if you are an EU citizen or not. It’s not about where the data resides, but who the data is about. If an organization outside the EU is collecting personal data, and that data belongs to a citizen of the EU, they must comply with the rules or face heavy financial penalties (€20m or 4% of annual turnover).
While many would agree that such measures are long overdue, given that many companies and organizations are still not adequately handling sensitive data, the implementation of GDPR will disrupt work-flows and incur substantial costs.
Firstly, organizations with over 250 employees are legally obligated to hire a data-protection officer (DPO).
Secondly, GDPR compliance comes with a steep learning curve and so staff members would require sufficient training, incurring further costs.
We must also consider the possibility of regulatory loopholes. Jeremie Zimmermann – a French computer scientist – has criticized the draft for its use of vague wording, such as “legitimate interest,” and claims that this could allow large corporations to “exonerate themselves from the legislation.” Should our personal data be used to enrich and empower a select group of corporations, this will countervail the legislation’s principal objective.
It’s also worth noting that, while the GDPR sets out to protect the rights of individuals by allowing them to exercise their “right to be forgotten” etc., complying with the GDPR will give regulators “unprecedented powers to intervene in business.”
When it comes to safeguarding sensitive data, and giving data subjects more control over how their data is processed, I think we can all agree that something has to be done. And while added costs, potential loop-holes, and officious enforcement protocols may give rise to a new set of problems, such directives will surely promote a wide-spread awareness of data protection, and the current lack-of.