It’s occurred to me that GDPR (General Data Protection Regulation) isn’t wildly different from the Data Protection Act that it replaces – except in one major and hugely ground-breaking way.
The overarching goal of GDPR (enforceable in Europe from May 25 2018) is one of transparency and fairness. Its main mission is to encourage companies to be transparent in the way they are storing and using people’s personal data and that they are fair in the decisions they take regarding that data.
The transparency aspect is critical to GDPR and so companies need to be aware of this. If you aren’t being totally transparent with what you are doing, then it will be blindingly obvious to everyone involved that you are not doing so. There’s the rub – and that’s what makes GDPR so different to DPA.
The DPA was good legislation but it could be adopted (or not) behind closed doors; if a company didn’t comply with the DPA then it was very unlikely that they would ever be found out, unless of course they confessed to a huge data breach.
But, with GDPR, unless you are totally open about what you are doing, then it will be screamingly obvious that you are not complying and then people can report you.
Being ‘fair’ should encourage companies to adopt a completely different mind-set towards the custodial approach they have about their data. You need to adopt the attitude that ‘your’ data does not belong to you any more – it belongs to the individual and that individual has simply loaned it to you for a specific reason and for a given length of time.
Respect needs to be woven into every decision taken towards how that data is used and for how long it is kept. That data is on loan and is only in your custody for a reason. Be respectful, treat it as you would want your own personal data treated and be open and transparent with your policies – because it will soon become very clear if you are not.
[Editor’s note: GDPR applies to data held on European citizens, no matter in which country the data is held]