Pains, gains of new EU data privacy law

In the last few weeks, you must have seen a surge in the number of emails and alerts from online companies informing you about changes to their privacy policies. Don’t delete them. Don’t ignore or gloss over them. Understandably, they are written in dry legal tone, but bear the pain and read through.

These emails have been sparked by a new European Union law known in short as GDPR: the  abbreviation stands for General Data Protection Regulation. The law can be distilled down to two points: that companies need your consent to collect your data; and that you should be required to share only personal data that is necessary to make their services work.

BANK DETAILS

This move is aimed at protecting personal data for EU citizens, or foreigners’ data held by EU companies.

Personal data, in GDPR directive refers to any information related to a person such as a name, a photo, an email address, bank details, updates on social websites, location details, medical information, or a computer IP address.

GDPR opens a new window on how companies will henceforth manage and use our personal information. It gives you and I more control over our information. It also gives us the Right to be Forgotten. In other words, if your data are held by a company in the EU, or by a country that complies to this new law, you can request them to delete your personal information in their server if you no longer need their services.

COMPLIANCE

Although the weight of this law will be most felt in the EU countries, its compliance is not related to where a company is physically located in Europe.

Companies with offices within the EU, or those that process data of individuals within the EU, must comply with GDPR. Subsequently, many companies have employed a team of data protection experts to help them put in place and maintain compliance measures.

Facebook, for example, which has been under scrutiny for the improper harvesting of user data by the political profiling firm Cambridge Analytica, has updated its privacy controls. Cabridge Analytica was accused of mining millions of Facebook profiles, with the intention of using the data to tip the elections in US, Kenya and Nigeria.

Organisation that processes or stores large amounts of personal data, whether for employees, individuals outside the organisation, or both, are expected to have a data protection officer to oversee and advise on matters to do with data security.

PENALTY

Organisations that fail to follow this law will face a painful punishment. Those that should have a data protection officer but fail to employ one will be fined. If there’s a data security breach, the company can be penalised; and fines can be up to four per cent of their global turnover or up to €20 million.

In the wake of these changes, organisations will have to re-think and re-organise how they collect, store and manage data in order to avoid the dreaded penalty.

This law is far more advanced than laws enacted by other countries and it will, without doubt, shape the data landscape for many countries for the foreseeable future. Many countries and companies will model their data security management principles and laws using the GDPR template.

SLEUTHS

Kenya does not currently have specific data protection legislation to regulate the collection, retrieval, processing, storing, use and disclosure of personal data. There is however a bill pending in Parliament since 2015.

The EU law will affect many companies that do business with EU. To play competitively, we have to build or update our data security laws and systems in tandem with changing technology landscape. 

Importantly, countries, companies and colleges must put in place skills-building plans for data privacy, and use them to build an army of data security sleuths.

The writer is an informatics specialist. [email protected] @samwambugu2