In less than a year (25 May 2018, to be exact), the European Union General Data Protection Regulation (GDPR) will take effect. This is a revision to the existing Data Protection Directive but, as a Regulation, it takes effect without needing primary legislation to be enacted in each EU State. So what has changed?
Definition of personal data
The definition of personal data has been widened: this now includes email addresses (and even IP addresses or device IDs, should you log them). If you do not have explicit consent from members to use these for regular email communications, you will need to obtain this by May next 2018 or stop emailing them. Extra care will have to be taken with sensitive personal data. This could be so far as taking care of who has access to marital status (if you record civil partnerships distinctly from married) or the sex of the member's spouse so that sexual orientation is not routinely disclosed.
Implicit consent no longer permitted
Implicit consent is no longer permitted under GDPR. Many schemes currently use this basis to justify their data processing activities; they will need to consider using another processing basis. This will mean that Privacy Notices will need to be updated, too.
If you wish to see an example of a Privacy Notice, this is Google's, which has been updated for the GDPR:
Preparing for GDPR
The ICO has issued a 12-step guide, which is exceptionally useful for anyone preparing for the GDPR. This is written in plain English and is 11 pages long: not bad, considering the Regulation is 88 pages long! The first step is to conduct a data audit. That is, what data do you have, where did it come from, where is it stored, why do you need it and how accurate is it? Make sure you have documented procedures that you can use to demonstrate to auditors and the ICO how you comply. Make sure that all your staff, members, employers and anyone else that provide you with or use your data are aware of these procedures.
The fines that can be levied have increased significantly, 40 times (and maybe more) than those possible under the existing data protection regime. The maximum fine that can be levied will be the higher of €20 million or 4% of global turnover. To put this in perspective, last year TalkTalk was fined £400,000 for security failings. Under the new Regulation, this could have been as much as £59 million.