GDPR – Where are we now?
June 5, 2017

With just a year left until the new General Data Protection Regulation (GDPR) comes in to effect, every business with a close eye on their data processes and compliance should already have an action plan firmly underway, or making plans to accommodate the legislation as part of a programme of digital transformation before 2017 comes to a close.

In June last year we dropped a blog on how the data protection changes could affect your business, addressing Childcare and Education, Financial and Legal Services and Healthcare specifically. Fast forward to a year later and in the wake of Wannacry the importance of securing your data has never been more poignant. If the NHS has learned anything from the cyber attack it’s that someone must take responsibility for this digital ‘state of emergency’ and make the digital transformation of the NHS a national priority. And by ‘national’ we mean each and every one of us. It’s our data after all. It’s startlingly evident that a countrywide culture of complacency and unpatched systems led to the some 200,000 victims within 60 NHS Trusts. A very hard lesson to learn.

Speaking on the role of accountability, Information Commissioner Elizabeth Denham noted back in January that “We’re all going to have to change how we think about data protection.”

“It’s a big job. We took almost 200,000 calls on our helpline last year. And on the other side of our role, we issued more than £1million of fines to organisations that got it wrong.”
The point here is, realistically, is it any wonder?  Denham rightly detailed how the existing Data Protection Act was drafted in the pre-Google , pre-Social Media, pre-cloud era, rendering it wholly and completely not-fit-for-purpose given the way we use and move data today.

Denham notes:


In the coming years, connected cars, fridges, ovens, and more will be designed to make our lives easier. But if the past is any guide, they’ll also throw up issues which the legislation hasn’t foreseen.”


If Wannacry has taught us anything it’s that technology doesn’t stop. Ransomware and the Internet of Things alike. So our data legislations and frameworks that deal with them must now feature the flexibility to adapt at the same speed as connectivity (and thus the threat from cyber attack) grows. How each of us on the ground keeps pace with that comes down to robust digital transformations, and meaningful upgrades of all systems responsible for the kind of connectivity and data handling we must now anticipate and not just manage at current capacity.

Artificial Intelligence, machine learning and sensor technologies will do the same – growing the ‘internet of things’...That’s a challenge for the regulator, but it’s a challenge to businesses who want to – who have to – comply with the law. We’re all going to have to change how we think about data protection.


On that note, here’s a recap on what the GDPR looks like:


The new EU General Data Protection Regulation (GDPR) will come in to effect as of 25th May 2018.  The new legislation could see fines of up to €100m or 5% of annual global revenue (whichever is higher) but what's more, on top of that, victims of data leaks and breaches may also claim for compensation. As you can imagine this boon-for-some could court some serious reputational damage, in addition to legal costs for those responsible.

Superseding member states’ existing data protection law, including the UK’s Data Protection Act, the GDPR will also apply to those based outside the EU processing the data of EU nationals. Happy days. Effectively ring-fencing our data is a smart move.

Perhaps one of the most notable changes is that of the onus of responsibility, with the data processer taking accountability over the data owner, and thus the risk of penalty in the event of a breach. The good news here is that the market for data processing and software-as-a-service (SAAS) will have to undergo some serious quality assurance overhauls to accommodate. In short, safer, smarter software as well as bigger and better services. So now really is the time to start investing and setting aside budget for the new and improved. Not just so you can ‘meet with compliance’ but because what’s on offer really is going to make valuable changes to your organisation’s operations. More bang for your buck, if you will.

And then there’s the right to be forgotten. The GDPR will grant new erasure rights, meaning the right for individuals to request and demand the deletion of any data held on them. You’ll need to implement procedures that ensure data is effectively removed, across all devices and systems while anticipating potential risks and obstacles such as syncing protocols. Additionally, it will be your duty as a data holder to inform clients of their rights in this area, documenting that you have done so and obtaining explicit ‘opt-in’ consent from them to process said data. Compliance. Compliance. Compliance.

May 2018 is no longer a distant horizon so but becoming compliant now will enable you not only to  successfully navigate potential issues with ease, but start on your journey to a digital transformation to futureproof your business.


For more information on how you can get ready for the GDPR check out what we offer here. ​ Alternatively if you’d like to discuss what Etain can do to help you accommodate the GDPR changes get in touch on 028 90 87 2222 or drop us an email.
 

Disclaimer

 
Etain Ltd make custom software; we aren’t legal professionals. The information above is presented in good faith, and is intended as a high-level guide to help you understand the potential effects of the GDPR.
 
If you are unsure of your position, you should not hesitate to consult a legal expert or your local regulatory authority. The full text of the General Data Protection Regulation can be read here.

Return to blog

We're Hiring

Interested and want to know more?Send us an email