What is GDPR, and how will it affect you?
The issue of personal data, and more specifically data protection, has become a burning one of late - not least in the wake of the Cambridge Analytica scandal. Merely a matter of weeks ago, it emerged that the data of millions of individuals was harvested from Facebook, and illegally exchanged with the firm, which acts as a political consultant.
Against the backdrop of the controversy is the fast-approaching implementation date of the new General Data Protection Regulation (GDPR). You're most likely aware of it - if not during the course of business, then as a result of your inbox being greeted by a series of emails from various companies requesting that you remain opted in to their database.
But what is GDPR really, and why is the advent of it so significant?
GDPR in a nutshell
Widely described as the 'biggest overhaul of online privacy in the internet era', this new legislation is being brought in to make it a right for all EU citizens to know what data is stored on them, and to have it erased (aka the 'right to be forgotten’). It is also designed to provide extra protection for the individual against irresponsible data use, and in the event of a data breach too. It comes into effect on 25 May, and, despite Brexit, will replace the Data Protection Act 1998, and apply to all UK businesses for the foreseeable future.
In fact, it applies to anyone who is deemed as a 'controller' or 'processor' of personal data associated with an EU resident - even if that entity is not itself based in an EU country. A controller of data can loosely be understood as the organisation responsible for justifying how and why the data is being processed, while the processor is responsible for actually processing or handling the data (in some cases an intermediary or outsourced IT firm).
The onus lies on the controller to ensure that the data is processed lawfully, and while the processor also needs to adhere to a stringent set of rules, it is the controller who bears greater liability should a contravention of the new law, or indeed a data breach, occur. Failure to comply with GDPR on the part of a business could see them face a fine of up to €20 million, or 4 per cent of their global turnover (whichever is higher).
Definition of data and consent
Given the era of its introduction, it's fair to say that the Data Protection Act has become outdated in many respects, and one of these is the very definition of data. Under GDPR, the EU has expanded this to cover all personally-identifiable information - be that demographic data; financial, medical, cultural information, and even IP addresses.
In fact, even so-called pseudonymised personal data - whereby artificial identifiers are used as a substitute for actual data - falls under the umbrella of GDPR, depending on how difficult it is to associate these identifiers with the individual in question.
Also underpinning the revolutionary nature of GDPR is the matter of consent. Under GDPR, lawful consent must be an active, affirmative request by the individual, rather than passive acceptance. Most commonly, this relates to marketing email communications, and specifically pre-ticked opt-in boxes. These will no longer be permitted from May, and all organisations will need to keep a record of how and when customers have provided consent. Furthermore, organisations have been asked to refresh old opt-ins, hence you will likely be incurring a lot of emails at present.
GDPR and Lending Works
There are wide-ranging reports about companies either being unaware of GDPR, or failing to take action in order to prepare for it. Given how seriously we take the issue of data protection here at Lending Works, we've kept a close eye on the arrival of GDPR. The legislation actually came into force back in May 2016, albeit there has been an implementation period of two years prior to the laws being applied.
Nevertheless, a combination of the most cutting-edge data protection technologies and systems, coupled with market-leading expertise within our IT department, should give our customers complete peace of mind that their data is safe with us, and certainly would never be used frivolously. As such, the rules pertaining to GDPR are ones we have, in effect, always complied with.
We welcome any measures which safeguard personal information, and very much see GDPR as a significant force for good - not least in recent times, where data has too often been dubiously acquired and unscrupulously used. Here's hoping for a safer online world from 25 May.