More European data protection stuff, I’m afraid. If you’re new to this, you can read my previous posts on the forthcoming Europe-wide General Data Protection Regulation:
- GDPR – the headlines
- GDPR – no easy get-out on consent
- GDPR – (para 3) – early warning on staff consent
So, anyway, here I am reading the European Parliament’s press release celebrating the final approval of the GDPR a couple of weeks ago. Well, someone has to do it – be glad it’s me instead of you. There’s some good news – we get a little more time. The wheels of European legislation grind exceedingly slowly, so it will finally come into force on May 17th 2018 – two years and twenty days after publication in the European Journal. That’s about four months later than I thought – so we have four more months in which to scratch our heads and/or panic.
In case the whole thing has been a bit TL;DR for you, here are the top 6 headlines again:
- It will apply to you if you offer services in the EU – no matter where you’re based. Tough for the US web majors and offshore data processors.
- Profile-based targeted marketing and pricing might be illegal – tough for the Big Data crowd.
- People have to consent to your use of their data – real consent, informed, time-limited. Tough for the email-marketing industry.
- Larger companies and data processors need a specifically-appointed Data Protection Officer. Good for people like me – yay! – but an additional business expense.
- You’ll have to notify the Information Commissioner’s Office if you have a data breach – and quickly. No more sweeping it under the carpet and hoping no-one notices, I’m afraid.
- Big penalties – up to €20m or 4% of global turnover. Good for the ICO – they’re excited – not so good for you if you breach and get caught. Ah yes, see previous point…
More headlines and more detail in my main GDPR post.
I’ll be running a series of posts over the next few weeks looking in more detail at each of the 13 main issues, as I see them. Until then, enjoy your new-found power to make Big Data advocates stammer uncomfortably.
Oh, and here’s the accompanying Directive covering processing of data for the purposes of law enforcement. Not really relevant to you, unless you’re in the Police, or the Home Office, or are a lawyer, or work with any of these groups. Amusingly, because this is a Directive rather than a Regulation, the UK and Ireland get to implement it with variations – as yet unspecified – and the Danes get six months to decide if they want it or not. Yes, I know, I’m ashamed that I know this kind of thing too.