As of the 25 May, cyber security becomes a big issue for UK businesses, especially those that work with analytics, online advertising, and social media. This is the date the new General Data Protection Regulation (GDPR) comes into force, and the date by which every business that holds “personal information” about customers and clients should have adequate security in place.
The definition of personal data
The Data Protection Directive 95/46/EC defines personal data as “any information relating to an identified or identifiable natural person”. This can be information that can be used to identify a person directly, for example by name; or indirectly e.g. Head of Design at Brand X.
The reason the regulations are changing so dramatically for the first time in 20 years is down to how we can identify people in ever more complex ways, by an IP address for example, or DNA. Here’s what you should be aware of:
- -Personal Data and Unique Identifiers – The GDPR makes it clear that this includes online identifiers and location information. As such, IP addresses, mobile device IDs and the like must be protected. If they aren’t it will be considered a data breach.
- -Pseudonymous data – This is when encryption is used to ensure that the personal data cannot be accessed without the relevant technology to do so, or additional information. Although pseudonymous data is still classed as personal data, and therefore under the same rules, the encryption factor gives an organisation using it added protection because it is seen as an enhanced security measure. In fact, the GDPR is encouraging organisations to employ such measures as part of their risk management.
- -Genetic and biometric data – This covers the likes of gene sequences, fingerprints, retina scans, facial recognition etc., and is regarded as the most sensitive of personal data. As such this type of data needs explicit consent from the individual when it comes to processing. Companies that process on a large scale will be required to have a risk assessment by a specialist controller.
The new GDPR will have a big impact on online businesses
Now that online and unique identifiers have been categorically classed as personal data, online businesses will have to ensure that any data they hold is secure. This will be especially important for those businesses using analytics, or specialising in online advertising and social media.
This does not only apply to UK companies, it applies to any company that holds information about customers and clients in the EU. What about Brexit? For UK companies working solely with UK personal data, the post-Brexit situation is for the time being unclear. The advice is to comply with the GDPR and wait for further information.
Breach the GDPR and you could face a €20 Million fine!
A data breach is defined as “a confirmed incident in which sensitive, confidential or otherwise protected data has been accessed and/or disclosed in an unauthorized fashion.” If a company is deemed to have breached GDPR, it will be fined up to 4% of its annual global turnover, or €20 Million.
For more information about GDPR and what it means to you visit https://www.eugdpr.org/
Update 25/05/2018: Click here to listen to our GDPR spotify playlist!