The General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018. The GDPR is a regulation intended to strengthen and unify data protection for all individuals within the European Union (EU). The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
GDPR has implications for all organisations that collect information about customers resident in the EU, and whilst the telecommunications sector has been under strict regulation for a number of years there are some significant changes that the EU GDPR, and “the Applied GDPR” (the UK’s post brexit absorption of the directive), will bring to the sector.
What is the GDPR?
The GDPR (General Data Protection Regulation 2016/679) is a new EU Regulation which will replace the 1995 (DPD) which was implemented in the UK via the Data Protection Act 1998 to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data. It will come into force on 25th May 2018.
The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.
Will/ how will the GDPR impact telecoms?
Those businesses that transfer information for data warehousing, reporting and marketing purposes will now need to be ready to delete or ‘anonymise’ these data sets.
Another important area will be data portability. Telcos should be able to provide consumers a copy of their personal data in an electronic format. This means they need to keep this data in a structured and commonly used standard electronic format. A straight dump of tables from lots of disparate systems is unlikely to make the cut here.
Will it apply to me?
The GDPR applies to ‘controllers’ and ‘processors’. The definitions are being aligned much more closely under the new legislation increasing the requirements that data processors currently need to adhere to under the existing DPA framework.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.