GDPR is here, but is Europe ready?
By Alex Hilton, CEO Cloud Industry Forum
In case you’ve recently emerged from hibernation, on 25 May 2018 the day the General Data Protection Regulation (GDPR) came into force across Europe. After months of work updating policies and procedures in preparation, businesses can finally breathe a sigh of relief as the deadline passes smoothly. Or can they? Research and advisory firm Gartner has predicted “more than 50 percent of companies affected by GDPR will not be in full compliance with its requirements.” Forrester places the number as high as 80 percent. This is worrying news for businesses, particularly given the increased fines to punish non-compliance available to the Information Commissioner’s Office (ICO), the UK authority responsible for regulating GDPR compliance.
As many readers will be aware, GDPR brings into force the new European rules for data protection. It replaces the previous regime implemented by the 1995 Data Protection Directive, bringing about key changes to how personal data is used and accessed. The Regulation applies across the EU, as well as to companies based elsewhere who handle the personal data of EU citizens. The changes are too numerous to discuss in specific detail here, but implementing GDPR is a huge task for businesses and regulators.
Advocates of the new framework say it will greatly improve the treatment of our personal data. Even initial opposition, which came particularly from the large tech companies, seems to have subsided in the wake of the Cambridge Analytica scandal. But if compliance is as low as some figures suggest, questions need to be asked about how the ICO should tackle companies failing to meet their GDPR obligations. Yes, these rules are important and companies have had two years since they were published to prepare but will instituting a raft of fines across the country really help, particularly where smaller businesses are concerned? A sensible distinction could be drawn between companies failing to engage with GDPR and those making genuine, if yet unsuccessful, attempts to comply with the complex changes. Giving individuals more control over their personal data is an important step in our increasingly digital society, but employing too punitive measures against businesses may well prove counterproductive.
Even regulators have been reported to be struggling to get ready for the implementation of GDPR. In a post on European Data Protection Supervisor’s website, Giovanni Buttarelli, the European data protection officer, suggested that there were too few people currently working for data protection authorities in the EU to supervise GDPR. Speaking to the Financial Times in September 2017, Elizabeth Denham, the head of the ICO, said the organization needed more staff to effectively enforce GDPR. The UK Government has overhauled the ICO’s funding to enable it to be fully equipped to investigate businesses’ compliance.
In Europe, all businesses must now make the ways in which they collect and use personal data more transparent. But this is not necessarily all bad for them. Individuals who perceive their data has been collected dishonestly will likely not respond positively to how it is used. Being open about data collection may make individuals more attentive to the ways their data is used, perhaps leading to upsides for businesses that want more attention to be paid to the end product for which personal data is needed.
GDPR is not the end of the discussion on how to regulate the collection, retention and use of personal data. It will almost inevitably face teething problems. It is nevertheless important to look critically at the ways in which businesses use valuable data. The right balance will recognise the trade-off between accessing benefits to which many have become accustomed in exchange for giving out personal information. It should also look to protect the existence of valuable businesses and encourage individuals to take an active role in managing how their data is used. How GDPR in practice strikes that balance will be answered in the next few years.
For more details on the Code see: Code of Practice for Cloud Service Providers