GDPR. Does it make your pulse race with excitement? Or does General Data Protection Regulation up the heart rate more successfully?
Or – if you’ve even heard of either – do they evoke a groan?
Sure, this subject is not ‘sexy’, but not only is it important, it may also be something really exciting for all of us.
Most of us have have some (or great) concern about about the way our personal, private data is being stored by large companies who may use it in all kinds of ways we don’t want – or even fear. We often feel quite helpless to know what to do about this.
Well, hope is at hand in the form of a new EU regulation which will come into force on May 25th 2018 – less than six months from now. Known as the General Data Protection Regulation (GDPR), it requires all organisations located in, or doing business in, the EU to adhere to some fairly tough rules.
According to one GDPR expert (In an interesting podcast at http://5by5.tv/criticalpath/202), the legislations can be boiled down to one simple principle: every person should have control of their own personal data. Viewed that way, perhaps this is not so complicated, and the consequences flow naturally.
Yet it is not a simple matter either. Here is my effort to spell out as simply as possible the main aspects of what is required….
- There has to be a clear and transparent reason for an organisation to request and store personal data;
- The data to be stored must be the minimum required for the purpose stated;
- The ways in which the personal data will be used have to be clearly presented – and not exceeded;
- The data must be kept up to date – and not retained longer than necessary;
- The data must be kept completely secure;
- The ‘data subject’ (you and me!) has to give explicit consent to have our data used in the ways outlined;
- The data subject has rights in relation to the data, including disclosure, erasure and portability.
What exactly these principles mean for organisations (note: the law does not apply to private individuals) is beyond the scope of this blog. But at minimum it will involve a complete rethinking of how data is held, audited and managed.
If organisations take this seriously – and why wouldn’t they? there could be some mammoth fines for law-breaking) – most of us should sleep easier at night.
GDPR? Bring it on!