The Press and Journal (Inverness, Highlands, and Islands)
Setting record straight on major shift in data privacy regulation
Next month sees the new General Data Protection Regulation (GDPR) come into force across Europe. It is described by the European Union as the most important change in data privacy regulation in 20 years.
But the UK Information Commissioner is concerned that misinformation on GDPR is in danger of being considered true.
The all-important enforcement date for companies to note is May 25.
GDPR aims to protect all EU citizens from privacy and data breaches in an increasingly data-driven world which is vastly different from the previous 1995 directive.
Penalties for organisations breaking the new regulation can be high. They can face fines of up to 4% of their annual global turnover or nearly £18million, whichever is greater.
Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of GDPR, as it applies to all companies involved in the controlling or processing of the personal data of data subjects residing in the EU – regardless of whether the processing takes place in Europe or not.
Part of the expanded rights of data subjects outlined by GDPR is their right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
The controller has also to provide a copy of the personal data, free of charge, in an electronic format.
This change is described as a dramatic shift to data transparency and empowerment of data subjects.
A right to be forgotten entitles the data subject to request that the data controller erase their personal data, cease further dissemination of it, and potentially have third parties halt processing of the data.
UK Information Commissioner Elizabeth Denham has expressed worry that misinformation on GDPR is in danger of being considered true.
Claims that the new regulation will stop things like dentists ringing patients to remind them about appointments or that cleaners and gardeners will face massive fines that will put them out of business are wrong.
She added: “If this kind of misinformation goes unchecked, we risk losing sight of what this new law is about – greater transparency, enhanced rights for citizens and increased accountability.”
The commissioner said it was a myth that the biggest threat to organisations from the GDPR is massive fines.
She explained: “This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.
“Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point. And that concerns me.
“It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the Data Protection Act allows us.
“But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.
“The UK Information Commissioner’s Office commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR.
“We have always preferred the carrot to the stick.
“Issuing fines has always been, and will continue to be, a last resort. “
The commissioner also pointed out she wants to break the myth that GDPR compliance is focused on a fixed point in time.
Organisations have expressed concern about being prepared in time for GDPR’s introduction next month.
The commissioner said: “Some of the fear is rooted in scaremongering because of misconceptions or in a bid to sell ‘off the shelf ’ GDPR solutions.
“I‘ve even heard comparisons between the GDPR and the preparations for the Y2K Millennium Bug.
“In 1999, there was fear that New Year’s Eve would see computers crash, planes to fall out of the sky and nuclear UK Information Commissioner Elizabeth Denham
war accidentally start. I want to reassure those that have GDPR preparations in train that there’s no need for a Y2K level of fear.”
The commissioner said it is a fact that GDPR compliance will be an ongoing journey.
She added: “Unlike planning for the Y2K deadline, GDPR preparation doesn’t end on May 25 – it requires ongoing effort.
“It’s an evolutionary process for organisations – May 25 is the date the legislation takes effect, but no business stands still.
“You will be expected to continue to identify and address emerging privacy
and security risks in the weeks, months and years beyond May 2018.
“That said, there will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date.
“But we pride ourselves on being a fair and proportionate regulator and this will continue under GDPR.
“Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.”
“This law is not about fines. It’s about putting the consumer and citizen first