First of all, let us get to a base of understanding. The most important thing that your staff must recognise is that they are all now personally involved in data privacy in a manner that was never the case before. Once upon a time there was something called the Data Protection Act, which was a reasonably toothless interpretation of European guidance, enacted individually by each European State.
The General Data Protection Regulation (GDPR) evolved from that in a manner that we should all recognise the benefit of and welcome. First, the Burghers of Brussels noted all the flaws and imperfections in the various iterations of DPA. They then took account of the colossal impact of an enhanced digital revolution that transformed two aspects of privacy. The first being concepts such as social media saw a growth in publication of private information, and the second – criminals got in on the act to blackmail, steal, misinform and ransom data wherever they could find it. And then finally they sought to introduce a trust environment throughout Europe so that the value of data could benefit society whilst maintaining protection.
If comprehension of its purpose is the first point, then the second has to be the enabling law, and basically GDPR says that if a territory does not acknowledge European Law, then you cannot share information with them, or use servers located there. The point being that they cannot be sued in the event of a breach, or held to account by regulators.
Which leads us logically to the third critical change from the DPA, in that under the GDPR the customer has real teeth as an individual, with all sorts of new rights, including the right to compensation. Whilst noncompliance is backed up by the imposition of fines, The DPO Centre believes that the greater threat to an organisation comes from reputational damage and class actions that will develop case law, which may have many times the impact of a fine on an organisation, and will show no mercy in respect to affordability.
Our fifth point is to briefly cover some of the main ‘new’ rights under GDPR, starting with the requirement that user consent should be by a ‘clear affirmative act’, no more shrouded tick boxes or “implied consent”! They have the right to be informed of your use of the data, and also the right not to be bound by an automated decision. (What happens to “computer says no?!”) A nightmare for many operations will be the right to be forgotten, and erasure (including from within your backups) of their data. There are other aspects of data portability and children’s privacy, all new – big subjects on their own, but not to be covered now.
But we would ask you to consider our sixth and concluding point as being the manner in which staff are now fully involved in every aspect of personal data privacy going forward, starting with “protection by design and default”, through every aspect of the choice and application of information, up to and including the ongoing discipline and care that is required to be demonstrated in daily use. It is good work, well developed, and absolutely essential to protection in an increasingly dangerous world.