The key elements of GDPR are:
- Mandatory breach notifications – fast response and large fines
- The ‘Right To Be Forgotten’ – necessitating the ‘ability to be found’
- Consumer profiling restrictions – personal data should not be used without consent
- Be accountable for your data – appoint a Data Protection Officer (DPO)
The bottom line is that the option to weigh costs of compliance against the risk of prosecution will disappear. It will also dissipate the belief that non-disclosure will protect the reputation of a company. In fact, earlier disclosure may be seen as an honourable and responsible act in a world where data theft and misuse is becoming more common.
The real purpose of GDPR is to shift control of personal data back to the owner of that data, rather than submitting all rights once a form is filled in, or an order is placed. The situation in future will be one of the owner allowing access to personal information rather than passing off ownership of submitted data.
From an information management perspective, the regulations provide governance over data malpractice giving it real teeth with the threat of fines of 2-4% of annual revenue. If an organisation fails to ask for explicit consent, giving accurate details of what is being taken and how it will be shared, the company can be held to account.