The EU's General Data Protection Regulation is close to being a reality. We ask some questions.
After three years of arduous discussion, it now certain that the EU's long-awaited General Data Protection Regulation (GDPR) will finally become law sometime in 2016. Although it is not the first piece of legislation to affect EU member states - the Data Protection Directive (95/46/EC) has been in place since 1995 and will be supplanted by the GDPR - the majority of businesses have grasped that it is without doubt the most far reaching.
From the outside, the GDPR can look complex and inscrutable of the sort that can only be understood by legal experts. Here we try and reduce it to its bare essentials, the parts that organisations must know about and, after a bedding-in period that might stretch to two years, comply with.
The GDPR represents a huge change in the way organisations must approach data but it also offers opportunity. Businesses able to adapt to the GDPR quickly will reap the benefits down the line.
What is the GDPR?
It sounds like an obvious point but it is worth re-stating that the GDPR is a set of rules governing the security and management of personal data, both of customers and employees. Until recently, this would have covered only records held on or about individuals but in an age of big data it should be defined as any data that could be used to identify someone.
Inevitably, some argument has surrounded how one can separate and define non-personal (i.e. anonymous) data that is not covered from data that could, in some circumstances, make someone identifiable. What is clear is that the data organisations (called 'data controllers') hold and gather on people is now an issue of business risk.
What is the timescale for its implementation?
The GDPR has taken over three years from its earliest drafts in 2012 to reach the stage where agreement is in sight, now expected by the end of 2015 or very early 2016. After that, full enforcement should commence two years later, in late 2017 or early 2018.
UK business and the GDPR - the GDPR is a regulation not a directive
The EU issues directives as general provisions that can be enacted on any timescale a country wishes. By contrast, a regulation has the force of law, is immediate across all states within a defined timescale), and does not require legislation in each country. That is the point of regulations - everyone has to comply.
UK business and the GDPR - which organisations will be affected?
Initially only those with more than 250 employees processing over 5,000 records per annum although in time small enterprises of all sizes and record throughput will come within its scope. The timetable for this extension is not yet clear. Importantly, business based outside the EU will also be affected by the GDPR is they do business inside the EU, extending its reach to a global level.
Sign up for CIO Asia eNewsletters.