According to a UK Government report released on 24th January 2018, fewer than half of UK businesses are aware of upcoming changes to data protection legislation occurring 25th May 2018.
The new data protection legislation is GDPR, or rather the European Union’s General Data Protection Regulation, which is set to be implemented into UK law under the Data Protection Bill; and it’s the most stringent data protection legislation ever enforced.
Over 25% of UK businesses which are familiar with the legislation have made requisite changes to internal policies and processes prior to its implementation later this year, however GDPR doesn’t just apply to EU member states, it also applies to US businesses – or businesses in any country – serving customers based in the EU.
Despite this, the US suffers from a similar problem with lack of awareness around the new legislation – a survey by MediaPro earlier this year found 59% of 1,007 participants had no knowledge of GDPR. Perhaps most disconcerting of all is that those in the education and governmental sectors were the least likely to know about the new legislation.
GDPR will require business to have appropriate measures in place for safeguarding private data and the Bill will give the UK’s Information Commissioners Office (ICO) new powers to enforce significant fines of up to £17 million or 4% of global turnover against businesses found to be in breach of the legislation.
The GDPR also prioritises a number of rights on the part of customers, including:
- Right to be informed: this articulates the information which must be provided to a ‘data subject’ (customer). This includes contact details of data processors and details of transfers to other countries. This information must be provided at the point of collection.
- Right of access: this relates to the data subject’s right to access the data held on them. A copy of this data must be provided free of charge.
- Right of rectification: this relates to the responsibility of businesses to change inaccurate data held on data subjects. The change must be made within one month.
- Right to erasure: this is colloquially referred to as ‘the right to be forgotten’ and relates to a data subject’s right to delete data.
- Right to data portability: this refers to the right of data subjects to transfer their data between different services.
The overall aim of GDPR is to prioritise the protection of consumer data. There are numerous examples of GDPR already in force – Google, for example, offers users of their services the right to copy or download any data held in their accounts for use in another service.