Patrick Lennon Associates 25 years

September 8, 2017The General Data Protection Regulation (GDPR) – Briefing Note

The GDPR is what is described as a “landmark” piece of European legislation that will come into effect on the 25th May 2018.

The new law will have a major impact on the world of data privacy giving consumers a range of new rights, including the right to know what data is held about them and who holds it , the right to have personal data deleted, new civil liberties around data portability and consent, as well as the right to be quickly informed about data breaches.

Anyone who handles personal information about consumers, for example, loyalty card programmes, airlines, travel operators, sports clubs, multiple grocers and so on, will be profoundly affected.

The new piece of legislation is already causing debate and concern across Europe since it demands higher levels of security and compliance. The reason is simple: GDPR is powerful: break the law and a company, organisation or individual could face a maximum fine of up to Euro 20 million or four per cent of global turnover, whichever is greater.

Companies (of all sizes) have been advised to review how they obtain customer consent when GDPR comes into effect.

The new law also aims to promote trust – currently, only one in four adults in the UK trust businesses with their personal data.In addition, data protection incidents are fast becoming reputation issues, investors have started punishing companies for data security breaches.

GDPR is also wide-ranging in its application, it has an extra-territorial effect. If data is sitting on a US based server for example, this will have to comply with EU legislation. Anyone who handles information – processors, collators and collectors, from EU citizens will have to comply.

Companies that are trying to build-up a detailed profile of their clients so that they can customise loyalty and marketing aimed at the clients, will have to rethink their strategies and obtain greater consent from clients as a minimum.

Already it is apparent that GDPR compliance needs a holistic and integrated approach involving many stakeholders, processes and technology, all of which need to talk to one another. People will need to act less in silos and realise that everyone has a vested interest in making information governance work. The business of data management will never be the same again.

Key issues

GDPR is a cultural shift in terms of respect for people’s data.

Data integrity and information governance is everyone’s issue. GDPR is like no other piece of previous legislation.

Undoubtedly, more similar legislation will come into effect from other countries beyond the EU.