GDPR preparation: 2018 data protection changes

A padlock on a motherboard surrounded by keys

The EU's General Data Protection Regulations (GDPR) has been in force for a year and it's become increasingly clear compliance was more about engaging in a process than being entirely ready on 25 May.

Gaps small and large may still exist in companies' data strategies, which should be expected given GDPR presented the biggest ever shakeup to data laws since their conception.

And as we continue in 2019, businesses may find the definition of compliance' itself changes as regulators establish different interpretations and nuances in the written law. But underpinning all these elements are a set of age-old data protection principles that ensure good data health, and the protection of consumers, or data subjects', rights to privacy.

All organisations, in varying sectors and of varying sizes, must collect and process data in the fairest and most consistent way across the entire European population, as far as GDPR is concerned. User consent must also be obtained in an overt and clear manner for a whole host of data processing activities - from updating customers on future products to using this data for marketing purposes. There are a number of additional rights, such as the right to be forgotten and subject access requests (SARs) that businesses must comply with.

GDPR outlines that data subjects can themselves indicate how much and how intimately organisations can keep their information, and for how long, as well as retaining the right to know what it's used for prior to giving consent.

It's actually the first change to data regulations in the UK since the Data Protection Act 1998 made significant improvements to the UK's legislation. Previously, UK law was regulated by the EU's own Data Protection Directive 1995.

Read on to understand the key aspects of GDPR you must comply with, and read to page three to find out where you are on our GDPR preparation timeline.

Why is GDPR necessary

Who is responsible?

The Brexit (non)-issue

Data breach notifications

The right to be forgotten

Record keeping

Getting it wrong

Our GDPR preparation timeline

Why is GDPR necessary?

Our personal data is online everywhere, despite us trying to protect it from being freely available. Bank details, our address, even our mother's maiden name or answers to security questions only we should know the responses to are shared with an array of online services. Whether we're completing a one-off transaction or offering such information to social networks when we sign up to keep in contact with old friends.

But what happens to that data once the transaction has been approved by our bank or an account has been created? One key concern is that it will be reused, distributed to others in exchange for money and this is why the GDPR guidelines have been introduced to give EU citizens more transparency about how their data is being used.

Businesses are concerned that ensuring they comply with the guidelines will cost a lot of money, despite the GDPR making it easier for firms to ensure they're in line with the law. It may seem like a lot of effort to make sure your business is adhering, but by doing so, you're reducing the likelihood of your company falling victim to a large-scale data loss crime, which is as beneficial for your organisation as it is for your customers.

The primary purpose of GDPR is to ensure personal data "can only be gathered legally, under strict conditions, for a legitimate purpose". This comprises a long list of responsibilities and understandings, such as the ability for residents to request their data is removed from a database and that data breaches are reported to the ICO as soon as they occur. Failure to comply can lead to huge financial penalties, so it isn't something you can ignore.

The Brexit (non)-issue

GDPR doesn't only apply to UK companies while Britain remains a part of the EU. That's because GDPR isn't dependent on whether or not a company is based in a member state. The legislation applies to any organisation processing or using EU residents' personal data.

So any that held off updating their data protection procedures to comply with the rules were just making the task more difficult for themselves. Equally, those who spent lots of money and time on their GDPR preparation can reassure themselves that it wasn't all wasted.

For those few organisations who don't process EU residents' information, they still have to comply with GDPR in the longer term.

This is because the UK government is effectively replicated the vast majority of GDPR rules under the Data Protection Act of 2018.

Measures including much tougher fines for organisations misusing data - up to 17 million of 4% of global turnover - as well as removing companies' reliance on opt-out boxes to use people's data - are included in the Act. This means UK law now looks very similar to that of the EU.

This is vital to the UK's future economic relationship with the EU, as it will enable the continuous flow of data between the two to carry on uninterrupted, without any need to come up with a new agreement like the EU has with the US to ensure data protection parity.

But there are some key differences between the UK's Data Protection Act. One, for instance, prevents data breach victims from allowing independent bodies - such as privacy groups - from taking legal action against the organisation at fault on their behalf.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.