A recent survey done by Sage
found that two-thirds of EU citizens are concerned about their personal data online, and six out of ten don't trust online businesses. That is a significant proportion of the consumer base. The European data protection supervisor, Giovanni Buttarelli, has described
the Facebook breach as characteristic of 'a broken and unbalanced ecosystem, reliant on unscrupulous personal data collection and micro-targeting.' Public trust in data security has taken a beating.
There's no doubt that data is the new currency. Our 21st-century reliance on social media and electronic communication has placed vast quantities of personal information in the hands of corporations and organisations. How to protect and prevent misuse of that information has become a burning question. On May 25th
the General Data Protection Regulation (GDPR) comes into force across all 28 countries of the European Union. GDPR's 88 pages, consisting of 99 articles, are specifically designed to put an end to these kinds of breaches. It will protect personal data - names, addresses, IP addresses, any information that could be used to identify someone - and sensitive personal data like political views or sexual orientation. In addition, GDPR ramps up protection for pseudonymised
personal data – if it's judged possible that a person could be identified from their pseudonym.
The directive will bring the law up to date with technology, instituting new rules which will have a sweeping effect on all companies that deal with personal information. What is the aim of GDPR?
The purpose of the GDPR regulation is to protect all EU citizens from future privacy and data breaches. The world has dramatically changed since the original EU Data Protection Directive was established in 1995 - we live our lives electronically and online to an extent that would have been unimaginable 23 years ago. The directive is being overhauled to bring it up to speed with our new, data-centric world, building on the key principles of privacy created in the first directive. The legislation is intended to unify data privacy laws across the EU, and to give greater protection and rights to individuals. So... Who does GDPR apply to?
The jurisdiction applies to all companies processing the personal data of data subjects residing in the EU, no matter where in the world the company itself is based. There are a huge number of companies which will have to comply, and which might have data stored across multiple excel sheets and systems. Almost every profession and business in existence involves the handling of personal data. According to the ICO if you were subject to the outgoing legislation, the 1998 Data Protection Act, you will almost certainly be subject to GDPR. Understanding the rules will be critical for all. Costly consequences for non-compliance
The ICO, the organisation which upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals, can currently levy a maximum £500,000 penalty
in the UK. The new fine structure for non-compliance under GDPR is designed to be prohibitive. Those who fail to comply, either as controller or processor, face fines of up to 4%
of their annual global turnover or €20 million
, whichever is greater. It's serious money and the regulators clearly mean business. Under the new rules last year's fines, for example, would have been 79 times higher
. It's one of the bigger changes GDPR will usher in - the hope is that instituting more serious financial consequences for breaches will be an effective incentive for larger corporations to protect personal data. Big tech, big data
A few big tech companies have found loopholes and are evading GDPR rules by migrating their users outside the EU. Facebook users in the US and Canada were bound by EU data protection laws, as the company's international headquarters are located in Ireland, in order to take advantage of Irish tax breaks. Mark Zuckerberg has allegedly
put more than 70 percent of Facebook's 2 billion-plus members users out of reach
of GDPR by changing the terms of service, meaning that they are based in Silicon Valley and no longer in Ireland.
Mass data collection or 'big data' has been a standby for large tech firms for years. They profit from identifying users' behaviors online and selling that information on. Much of that data will be stored and used differently under GDPR, and there have been mutterings
that this will seriously curtail firms ability to make money. But big data can still be a tool for businesses. It simply must be used more responsibly.
Ultimately, with public confidence in data security at such a low, compliance with GDPR can only bring about positive change. The new directive could be the first step in rebuilding trust. Holistic solutions
According to recent research published by the Global RegTech Review
, almost half of RegTech companies are up to date with AML and KYC regulation. The third most commonly addressed regulation in RegTech is MiFID II, followed by Basel III and PSD2. And now GDPR is taking center stage. Businesses are being pulled in many directions to achieve compliance.
Regulations are ever-changing and endlessly evolving. If rules continue to proliferate at the current pace, in two years there will be nearly a billion of paragraphs of new rules published by global regulators. GDPR has become a miniature industry in itself, with companies offering tailored solutions for compliance - with varying degrees of effectiveness. It's understandable that in the past, banks ended up scrambling to address regulations one by one. At first glance, it would seem like the simple solution.
But experience shows that tying RegTech solutions
to a specific regulatory text (GDPR, Solvency II, MiFID II, MAR) is a short-sighted approach, and it won't work for long. Thankfully the industry is now moving past silo solutions for individual regulatory obligation and towards a more long-term, holistic approach, focused on fixing the problem of regulatory compliance once and for all. Achieving compliance with GDPR should be just part of the bigger picture.
Recommended reads on GDPR: GDPR Key Changes GDPR: Are you ready for the EU's huge data privacy shake-up? WhatsApp raises the minimum age to 16 in Europe ahead of GDPR What is GDPR? The summary guide to GDPR compliance in the UK