GDPR: Are you ready for the EU’s huge data privacy shake-up?

Next month a new law will make the consequences of failing to protect personal data for banks and others far more serious.

The General Data Protection Regulation (GDPR), which comes into force on 25 May, will be the biggest shake-up to data privacy in 20 years.

A slew of recent high-profile breaches has brought the issue of data security to public attention.

Claims surfaced last month that the political consultancy Cambridge Analytica used data harvested from millions of Facebook users without their consent.

It has been a wake-up call for data security. People are increasingly realising that their personal data is not just valuable to them, but hugely valuable to others.

The growth of technology and electronic communication means that every day, almost every hour, we share our personal data with a huge number of organisations including shops, hospitals, banks and charities.

But that data often ends up in the hands of marketing companies, analysts and fraudsters.

Now the law on data protection is about to catch up with technological changes.

“GDPR is designed and intended to embody a data protection regime fit for the modern digital age,” explained Anya Proops QC, a specialist in data protection law.

“It seeks to put power back in the hands of individuals by forcing those who process our data to be both more transparent about their processing activities and responsive to demands for privacy-invasive processing to be curtailed.”

Among the many changes are measures that make it:

  • quicker and cheaper to find out what data an organisation holds on you
  • mandatory to report data security breaches to the information commissioner, rather than just “good practice”
  • more expensive if fined for breaches – up from a maximum £500,000 to about £17.5m or 4% of global turnover, whichever is the greater

“This is legislation which can literally sink those organisations who fail to respect our data privacy rights,” said Ms Proops.

Security

Organisations will have to review their systems and the way people work.

They will have to focus on technical security, including the use of encryption and the robust application of security patches.

But they will also have to use data minimisation techniques, including pseudonymisation – a technique that replaces some identifiers with fictitious entries to protect people’s privacy.

Ensuring that staff members are reliable will also be a priority. Taking personal data “off site” on mobile devices and memory sticks poses particular risks. A failure to ensure that such devices are encrypted can immediately expose organisations to a fine.

Unwanted emails

We’ve all had those unwanted emails, annoying targeted adverts, and phone calls from a total stranger who somehow knows that we have been involved in a car accident – when we have no recollection of it at all.

These come from companies who have managed to get hold of our personal data without our knowledge or consent.

It’s long been unlawful for such communications to be sent without our consent. But GDPR significantly tightens up the rules.

Consent must be freely given, specific, informed and unambiguous. It cannot be buried in lengthy terms and conditions.

That makes it much harder for marketers to establish that they have the requisite permissions, which is why your inbox has probably been littered recently with emails asking for your consent to continue receiving messages.

Oh, and it must be as easy to withdraw consent as it is to give it.

Conflicting advice

The strengthened “consent” is good news for consumers, but preparing for GDPR can be difficult and confusing for businesses.

Emma Heathcote-James runs a small company making natural soaps.

Emma Heathcote-James
Image captionSmall-business owner Emma Heathcote-James has been given conflicting advice about how to be GDPR-compliant

“One consultant told us if we’d emailed people within the last six months we’re absolutely fine to contact them as long as it’s not subscribed and it was clear they could have had the option to opt out,” she recalled.

“Another consultant said, ‘No, no – that’s absolutely wrong.'”

Businesses with large client lists run the risk that many customers will ignore their requests and their client lists will shrink accordingly.

Data protectors

Most public authorities and organisations that monitor and track behaviour must appoint a data protection officer.

DPOs’ duties will include monitoring compliance with the law, training staff and conducting internal audits.

They will also be the first point of contact for supervisory authorities and for individuals whose data is processed, including customers and employees.

They must be given the resources to do their job, cannot be dismissed for doing it, and must have direct access to the highest level of management.

Message to self, don’t mess with a DPO.

Policing the law

The watchdog responsible for all this in the UK will be information commissioner Elizabeth Denham.

“We will have more powers to stop companies processing data, but we only take action where there has been serious and sustained harm to individuals,” she explained.

“What this new fining power gives us is the ability to go after larger, global and sometimes multi-national companies where the old £500,000 fine would just be pocket change.”

She added that she accepted that some companies will need time to become fully compliant.

“The first thing we are going to look at is, have they taken steps, have they taken action to undertake the new compliance regime,” she added.

“Do they have a commitment to the regime?

“We’re not going to be looking at perfection, we’re going to be looking for commitment.”

Large fines will be reserved for the most serious cases, she said, when a company refuses to comply voluntarily.

Overall effect?

Companies will be obligated to clearly inform individuals about why they are collecting their personal data, how it is going to be used and with whom it is going to be shared.

All of which means that the GDPR should make our personal data safer and less easily obtained by those we don’t want to have it.

But there will be teething pains and some organisations that do not adapt in time will suffer.

And forget the idea that this could all become moot post-Brexit.

Although GDPR is a piece of EU law, the government has made it clear that the UK will remain signed up.

There are probably two reasons for this: first, if the UK watered down its data protection laws after Brexit, this might result in other Europeans treating the country as a pariah state, which would have an impact on trade.

Second, in the current privacy-preoccupied era, there is unlikely to be much public appetite to dilute GDPR’s protections.

Facebook to exclude billions from European privacy laws

Facebook has changed its terms of service, meaning 1.5 billion members will not be protected under tough new privacy protections coming to Europe.

The move comes as the firm faces a series of questions from lawmakers and regulators around the world over its handling of personal data.

The change revolves around which users will be regulated via its European headquarters in Ireland.

Facebook said it planned clearer privacy rules worldwide.

The move, reported by Reuters, will see Facebook users outside the EU governed by Facebook Inc in the US rather than Facebook Ireland.

It is widely seen as a way of the social network avoiding having to apply the upcoming General Data Protection Regulation (GDPR) to countries outside the EU.

Folder reading GDPR complianceImage copyrightGETTY IMAGES
Image captionTechnology firms are rushing to ensure they are GDPR-compliant ahead of May deadline

The change will affect more than 70% of its more than two billion members. As of December, Facebook had 239 million users in the US and Canada and 370 million in Europe.

It also had 1.5 billion members in Africa, Asia, Australia and Latin America, and they are the ones affected by the change.

Users in the US and Canada have never been subject to European rules.

“The GDPR and EU consumer law set out specific rules for terms and data policies which we have incorporated for EU users. We have been clear that we are offering everyone who uses Facebook the same privacy protections, controls and settings, no matter where they live,” said Stephen Deadman, deputy chief global privacy officer at Facebook.

Sylvia Kingsmill, a digital privacy expert at consultancy KPMG, said such moves were “an easy way out” for tech firms.

“I think that the public expectation is that their data, which they freely give up to corporate giants, is protected and I think this kind of move will catch up with the firms that make it.”

She added that regulators and lawmakers in the US and Canada were working on their own laws that would reflect the same controls offered by the “game-changing” GDPR.

Positive step

In 2008, Facebook set up its international headquarters in Ireland to take advantage of the country’s low corporate tax rates but it also meant all users outside the US and Canada were protected by European regulations.

The change will mean users outside Europe will no longer be able to file complaints with the Irish data protection commissioner or in the Irish courts.

GDPR, due to come into force next month, offers EU consumers far greater control over their data. It also promises to fine firms found to have breached data rules up to 4% of their annual global revenue.

Facebook has been under extremely close scrutiny following revelations that up to 87 million users may have had their data harvested by political marketing firm Cambridge Analytica without their consent.

In his answers to Congress over Facebook’s involvement in the scandal, Mark Zuckerberg said that GDPR was “going to be a very positive step for the internet”.

When asked whether the regulations should be applied in the US, he replied: “I think everyone in the world deserves good privacy protection.”

TalkTalk and Vodafone top complaints chart again

TalkTalk has again been named the most complained-about broadband company in the UK, in the latest report from the telecoms regulator Ofcom.

For every 100,000 TalkTalk customers, about 31 made a complaint to Ofcom about the company’s broadband services between October and December 2017.

Technical faults were the main reason for complaints, according to the report.

BT and Vodafone were the most complained-about mobile operators.

Vodafone was also the most complained-about mobile operator in the previous Ofcom report, published in January.

The figures reflect customers who were so unhappy with their service provider and any solutions they offered that they complained to the regulator.

BT came out worst for pay-TV services.

When TalkTalk topped the broadband complaints list in January, it said it had closed customer service centres in India and was delivering a “material improvement in customer satisfaction”.

However, the latest Ofcom report shows that the number of complaints about TalkTalk’s broadband has increased.

The company also attracted the most complaints for its landline telephone service.

“We always strive to provide the best possible experience, and are disappointed by these results,” the company said in a statement.

It again indicated that the “closure of our contact centre in India” was to blame for the poor figures, as it had “caused some temporary disruption for customers”.

Google’s SMS replacement ready to launch

Google has started the global roll-out of its new Chat messaging service, which is designed to replace SMS text messages on Android phones.

Chat has features such as group texts, videos, typing indicators and read receipts, which are not available when sending SMS texts.

Chat will be integrated with the default messages app on Android phones.

However, it will be up to mobile operators to enable the service and it does not offer encrypted messages.

The new system has been in development for several years, but is now beginning to appear on Android phones.

Android’s messaging mess

SMS – the short message service – was widely adopted in the 1990s. It lets mobile phones exchange basic 160-character text messages over the mobile network.

Modern messaging apps offer much more advanced features and send messages over the internet rather than using SMS.

However, the default messaging app on Android smartphones – Messages – is still a comparatively basic SMS client.

Google has tried several times to launch its own feature-rich mobile messaging app, but its attempts have failed to win over a large audience.

On Thursday, the company said it was “pausing” development of its latest effort – Allo – which was launched in 2016.

Advanced rivals

Google’s rivals such as Facebook Messenger and WhatsApp support advanced features such as typing indicators and high-resolution pictures. Apple’s iPhones have the similarly feature-rich iMessage service built-in.

This time, rather than try to launch yet another messaging app, Google has been working to integrate a new messaging standard with its Android operating system.

Mobile operators, phone manufacturers and app-makers will be able to use the new technology to develop messaging apps that are compatible with one another.

Chat appImage copyrightGOOGLE
Image captionChat lets people see when a contact is typing

The standard is known as the Universal Profile for Rich Communication Services (RCS) – but it will be given the more consumer-friendly name of Chat when it is rolled out to Android devices.

To develop Chat, Google has worked with more than 50 mobile networks including Vodafone, T-Mobile and Verizon and manufacturers such as Samsung, LG and Huawei.

Compatibility

Once Chat rolls out worldwide, Android users will be able to take advantage of the advanced features when messaging other Android users.

As with Apple’s iMessage system, if the intended recipient does not have a Chat-compatible device, messages will be sent via the old SMS system instead.

Google has stressed that Chat is not a new Google app. Since RCS is a communications standard, it is up to individual mobile networks and phone-makers to switch on the functionality.

Since messages are sent over the internet, they will not use up a customer’s SMS text message allowance. However, a mobile operator could in theory charge customers a separate fee to use Chat.

US mobile giant Sprint is already providing Chat functionality, while Rogers in Canada has also switched on the service.

Microsoft is one of the companies that has supported RCS but it has not confirmed whether it will add Chat functionality to Windows 10. Apple has not signed up to the project.

Samsung, which already replaces Android’s default messaging app on its devices, will integrate RCS with its own software.

Security experts have warned that Chat does not offer encrypted communication. As with SMS, Chat messages are not scrambled as they travel across the mobile network.

Google’s Anil Sabharwal told technology news site The Verge that “RCS continues to be a carrier-owned service”, which means that messages can still be legally intercepted.

The company said it expected the functionality to be widely available on Android phones within two years.