Everything You Need to Know About Data Protection Changes
Each day, companies collect massive amounts of data on their users, storing everything from dates of birth, to hair colour, to email addresses, to political leanings. This information has many purposes: as I have previously discussed, retail businesses are using Big Data to transform the shopping experience and tailor it to individual customers; while other companies keep data for marketing purposes and to track performance. Data storage is extremely useful for many businesses today, but the laws governing how these details can be used were created in the ’90s — well before anyone could fully comprehend the scale of the digital age.
After twenty years, it’s time for an update to the guidelines for data protection. Here, I explain how the EU’s forthcoming General Data Protection Regulation (GDPR) and the UK’s corresponding Data Protection Bill are transforming the way companies store and process data.
What are the current laws?
At present, the Data Protection Act 1998 determines how this information can be used in the UK, while the EU is governed by a 1995 data protection directive. These current laws can make it difficult for individuals to withdraw their information from a company’s data stores, and they do not cover details such as IP addresses, internet cookies and DNA.
What changes are being made?
GDPR and the Data Protection Bill are essentially bringing data privacy into the 21st century. They will implement ‘the right to be forgotten,’ a policy that allows an individual to ask a company to erase his or her data. This could mean everything from completely deleting information from social media profiles, to erasing stored address information within an online marketplace like Amazon.
Companies will also be required to disclose the information they hold about a person to that individual free of charge (current laws allow businesses to charge £10 for this service). In addition, privacy policies on company websites will be made more explicit, and users will be presented with a ‘positive opt-in’ when they are asked to provide information.
Furthermore, companies that regularly collect and handle information will have to designate a data protection officer to oversee their processing. If companies fail to conform to these new security measures or they face a breach in their data systems, they may be seriously fined.
Who do these changes affect?
GDPR and the Data Protection Bill will have significant effects on companies of all sizes across a variety of industries. Retail, social media, fintech and healthcare are particularly likely to feel the impact of these laws, but all businesses and organisations that handle data will feel their effects — the extent will depend upon the quantity and type of data that they collect and store. It is particularly important for small companies and startups to pay close attention to the new laws, as they may not have the funds to pay for fines should they arise.
It’s recommended that companies begin preparing their data systems for GDPR now, so that they can be ready when the law comes into effect in May 2018. Comprehensive and quick implementation will be key for all companies — not only to avoid fines, but also to secure the trust of the individuals who put personal information into their care.
Tej Kohli is a tech entrepreneur and philanthropist, who has founded several not-for profit organisations including the Tej Kohli Cornea Institute, Kohli Ventures and the Tej Kohli Foundation.