Our personal data is more vulnerable than we think – the incoming GDPR offers an opportunity to demystify the confusing world of how our data is processed, writes Stuart Smyth
In under two months, the most significant revision of data laws ever undertaken by the EU, the General Data Protection Regulation (the GDPR), will come into effect, transforming the way in which all our data is handled. One of the most important developments is the strengthening of a number of ‘data rights’ for individuals. We will have the right to access data held by others concerning us free of charge.
We will also have the ability to request rectification of incorrect data, to object to the use of our data, and to assert the now-infamous ‘right to be forgotten’ (subject to some important exceptions including freedom of expression).
The GDPR will completely change the way businesses are allowed to use our personal information – gone will be the days of ambiguous, small print terms and conditions. Companies (or ‘data processors’) will have to inform us in a much more transparent way for what and for how long they will be using our ‘data’ and then they will have to delete it afterwards.
The punishments for non-compliance are severe: fines of up to €20 million or 4 per cent of annual turnover, (whichever is higher), can be imposed for the most serious infringements. With only around 36 per cent of businesses even aware of the GDPR (according to the Cyber Security Breaches Survey 2018 from the Department for Digital, Culture, Media and Sport), and only 6 per cent of businesses having installed the necessary anti-malware software to protect their data online, the Information Commissioner could well be in line for a bumper bonus to its budget over the next few years.
Even Brexit won’t save UK businesses from the added administrative burdens, since the GDPR will be enshrined into EU law in May this year, and the UK government has committed to bringing it into UK law post-Brexit.
As can be seen from the recent Cambridge Analytica/Facebook scandal, our personal data is more vulnerable than we think and can be open to abuse and used in ways of which we are not aware. The EU commissioner in charge of data protection was quoted, in reference to Cambridge Analytica as saying: ‘We don’t want this [abuse] in the EU and will take all possible legal measures including the stricter data protection rules and stronger enforcement granted by the GDPR.’
This sort of abuse is exactly what the hefty fines permitted by the GDPR are designed to prevent. That sledgehammer is already being wielded under the existing rules, as Elizabeth Denham, the Information Commissioner for the UK, said: ‘Last year we issued more than one million pounds in fines for breaches of the Data Protection Act, so it’s not a power we’re afraid to use.’
For consumers, or should I say ‘data subjects’, the GDPR offers an opportunity to demystify the confusing world of how our data is processed, passed on and often misused. Its chief weapons aside, implementation of these changes will hopefully affect people’s lives for the better, be it less spam in their inbox and fewer cold calls asking if they would like to pursue compensation for that car accident in which they were (not) involved.
Stuart Smyth is an associate at boutique private wealth law firm Maurice Turnor Gardner LLP