A brief history of GDPR and why we need it
I wanted to write a quick piece on why the much discussed EU GDPR (European Union – General Data Protection Regulation) is being introduced May 2018. This blog is to give you an idea as to why the GDPR was created (where it came from) and what it could mean to you.
To do this let us go over some early forms of data protection. The most obvious and widely used examples are lawyer/client and doctor/patient privelages. These are fine examples of data protection rules which are not legislative but they are in place to prevent spread of personal or private data beyond those who need to know.
Formalised Data Protection Laws
Following on from the informal forms of data protection more formalised systems were introduced. Notably the EU convention on human rights. This set out basic principles back in the 1950s. This convention outlined the requirement that; everybody had the right to respect for their private and family life. It stated that “there shall be no interference from a public authority unless here is a reason. Legal. Security. Criminal.” Please note this isn’t verbatim merely conveying the feeling of the convention. This was deemed insufficient and somewhat ambiguous though and so more control was needed.
In comes the European council and their convention for the protection of individuals with regard to automatic processing of personal data. This broadly helped to cover the use of computers in the early 80s. This gave the UK the baseline for the Data Protection Act 1984.
The computer revolution
Then the 80’s and 90’s saw an unprecedented explosion in the utilisation and availability of computers. This changed how data was collected, processed and importantly how it crossed borders within the EU. The current legislation was clearly insufficient as one nations data protection laws were not necessarily compatible with anothers. This lead to the data protection directive of 1995. EU states had to be more rigorous with the minimum standards on data protection. It brought the EU states laws into line and helped to ease data crossing EU borders. Crucially, the Data Protection Directive also covered European data leaving the EU. Most famously demonstrated with the US-Europe Safe Harbour Act. Which broadly states that US data protection law is compatible with EU laws.
In response the U.K. Created the Data Protection Act 1998 the Germans created their equivalent, the French theirs and so on. This was repeated across all countries but no two laws married up properly. Meaning regulation in one jurisdiction wasn’t equivalent to another. Once again slowing progress and inhibiting the free flow of information across the EU. This, finally leads us to the creation of the EU GDPR!
So how is GDPR different?
The EU GDPR is more than the Data Protection Directive in so much as it is a regulation not a directive. A regulation is effectively a law not a set of minimum requirements which is essentially what the Data Protection Directive was. The EU GDPR took many years to write and had thousands of amendments due to jurisdictional requirements or small (and large) issues but it is now in effect.
So what does this all actually mean? In short, anybody who holds data on an EU citizen must (shall) comply with this regulation. English. American. Indian or Penguin. If you have data on an EU citizen then this regulation applies to you! Speak to one of our specialists to see how user training can help maintain your compliance to EU GDPR.