There's something particularly refreshing about listening to an expert. I had the opportunity to do just that last week when attending the PSMG event on GDPR: How to comply and lessons learnt from the coalface. It was led by Kolvin Stone, Partner @ Orrick Herrington & Sutcliffe. I learnt more in one 90 minute session on this new piece of regulation than I did over the past year.

Along with AI and Brexit, GDPR seems to be the stalwart of every business publication/event at the moment. Accordingly, I was reticent to write this post as I know the frustration most people feel upon seeing another post adding to the noise and the regular occurrence of listening to very unqualified people comment on things they know nothing about. However, I wanted to relay some of the refreshing facts I gleaned from this excellent workshop and maybe communicate with some of the people in my own network who have felt a similar level of confusion up until this point. 

What is it?

General Data Protection Regulation (GDPR) is, on the whole, a really good thing. It represents the modernisation of the law to meet the rigours and demands of 2018. The previous laws have been around since 1995, conceived in the late 1980s, meanwhile the whole landscape has changed immeasurably. GDPR is that update we've been craving. 

When it all boils down to it, what does it actually mean for the average person?

GDPR is designed to update and reinforce the fundamental right to data protection, more specifically, the protection of your personal data (for a more complete summary of 'personal data', check out this article). So, whereas in the UK we currently live in an opt-out society (organisations can contact you up until you opt-out of that contact), we will (from May 25th 2018) live in an opt-in society. On a base level, organisations will have to have your consent or be able to justify a legitimate interest for them to contact you.

So, no more emails out of the blue inviting you to events, no selling data to 3rd parties etc. All data needs to be 'clean', traceable and accountable - in short, treating data like you would any other valuable commodity. 

OK, great. So, what?

Well, now that you've regained control of your data, who can access, store it etc., you start to claw back some of that privacy you've unknowingly been giving away for so long. More importantly, the penalties for infringing upon people's privacy / violating these laws are more wide ranging and severe:

  • The immediate financial impact of paying fines (the potential of losing up to 4% of revenue, attending court etc.)
  • Damage to reputation / loss of value / shareholders
  • Loss of future earnings

Ok, so what does it mean for me?

Kolvin broke the impending regulation (and the changes) down into 8 key themes:

  1. Enhanced scope of the laws:  a new definition of personal data which are much more comprehensive than the current legislation
  2. New & enhanced rights for individuals: greater control of your data
  3. Transparent information: transparency for who has access to your data, how they obtained it (legally) and the right to erasure / 'to be forgotten'
  4. Profiling / Marketing: changes in how companies can contact you
  5. Service providers: Providers are now just as accountable for their service being GDPR compliant as the people who use it
  6. Compliance and accountability: big changes in the enforcement and regulation of businesses handling consumer data (think big fines)
  7. Privacy by design / default: moving from an 'opt-out' to an 'opt-in' society
  8. Security breaches & responses: organisations now have a strict time limit of 72 hours to react to any data breaches and to inform the relevant people.