GDPR – Getting to Grips with the New Law
13th February 2018
The law surrounding data protection and processing is changing. Are you ready for the new GDPR regulations which are coming into effect as of 25th May 2018?
Out with the Old – the Data Protection Act 1998
The current legislation relating to data protection is the Data Protection Act 1998. It is defined on legislation.gov.uk as ‘an Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.’ (www.legislation.gov.uk/ukpga/1998/29/introduction).
The original Data Protection Act can be summarised in the following statement:
You (a company) must only “process” “personal data” in accordance with data protection principles (unless an exemption applies).
The Internet, and the world, has progressed significantly in the last 20 years, leaving the rules around how businesses collect and process personal information lacking in many ways. Furthermore, the Information Commissioners Office (ICO) – the enforcer of the policy and law related to the DPA – do not have sufficient “teeth” to enforce fines on companies that disregard the rules and suffer breaches of data.
Unfortunately, many well respected big-name companies have leaked millions of records with little material repercussions or significant fines. The vast number of instances of important data breaches show just how many ways data can be put at risk.
Just six months ago, in July 2017, global information solutions company, Equifax, reported a major cybersecurity breach effecting 143 million consumers in the US, and some 694,000 UK customers. The breach saw information such as social security numbers, addresses and financial information revealed and stolen.
Carphone Warehouse have only now been fined £400,000 by the ICO after a data breach was confirmed in 2015, where the personal data of over 3 million customers and 1,000 employees was gained unauthorised access to during a cyberattack.
Other companies who have been compromised in recent years include Nationwide, Wonga and even HM Revenue and Customs! You can read a list of companies here: https://www.techworld.com/security/uks-most-infamous-data-breaches-3604586/
It’s uncomfortable reading, to say the least!
It is clear that companies are not doing enough to secure individuals’ data. This being said, the new GDPR legislation is not just to catch up to the internet of 2018, but to ensure that companies of all sizes have better clarity on how they process and protect data. The repercussions if they do not are increased considerably.
In with the new! The General Data Protection Regulation (GDPR) and why it exists
The EU (of which we remain a member, for now) has set down new rules for how data should be managed by all businesses, regardless of their size or nature.
General Data Protection Regulation (GDPR) is a directly effective European regulation which will apply in all EU member states, and will supersede the DPA to bring data into line with new, previously unforeseen ways that data is now used. It introduces tougher fines for non-compliance and breaches, and gives people more say in what companies can do with their data. It also sees consistency of data protection rules throughout the EU, regardless of where the data is processed.
Elizabeth Denham, head of the ICO, stated that GDPR “brings a 21st century approach to the processing of personal data”.
As previously mentioned, the UK still currently remains a part of the EU. Article 50 (which began set into motion the process of the UK leaving the EU within 2 years) was only triggered in March 2017, meaning that the GDPR takes effect before the legal consequences of the Brexit vote, and the UK must still comply with the new regulations.
What exactly does the GDPR change?
The scope of the law remains unchanged. It still covers all automated processing of personal data held on structured paper files, but with the fast approaching implementation of GDPR, it now has a wider applicability to cover.
Under the defunct DPA, data processors were not as liable in cases of data breaches as data controllers. GDPR sees that processors hold an equal amount of liability as controllers do. Data processors must ensure that all relevant contracts between themselves and data controllers are updated to incorporate new data processing terms set out in the GDPR.
Data processors are required to abide by rules to maintain records of their processing activities; however, the responsibility of ensuring the processor adheres to data protection law lies with the data controller.
While the current data protection law is only applicable solely within the EU, the GDPR requires any organisation based outside of the EU who are selling goods and services to, or monitoring the behaviour of, individuals within the EU, to also be fully compliant with the new regulations.
So, what happens if you don’t get GDPR right?
As the applicability of the law on data protection is tightening, it goes without saying that the implications of being non-compliant will too.
Any person/s who become aware of a data breach that risks people’s rights and freedoms have a responsibility to inform their data protection authority within 72 hours. This is called a breach notification.
If you are found to be non-compliant to the GDPR:
- Enforcement by the ICO, including;
- Warnings and reprimands,
- Temporary or permanent bans on data processing,
- Order to rectify, restrict or erasure data,
- Suspension of data transfers to third parties; and,
- Fines of up to €10 million, or 2% annual global turnover (whichever is higher) OR €20 million, or 4% annual global turnover (whichever is higher).
- Compensation claims.
- Negative publicity.
To Summarise – The GDPR change in a nutshell
GDPR covers a vast number of areas in relation to data protection and processing. These new regulations are being implemented to enable individuals to better control their personal data. The new law brings a 21st century approach to data protection, and expands the rights that data subjects hold over how their information is collected and processed. It also places new obligations on organisations to be more accountable for data protection. This article outlines the fundamentals of what you need to know about the new regulations that will apply from 25th May 2018.
For further information, visit: https://ico.org.uk/for-organisations/data-protection-reform/
A Glossary of useful GDPR terms
The term ‘processing’ is very broad, and covers an extensive list of operations that could be performed on, to or with information or data. This could include, but is not limited to the organisation, retrieval and disclosure of the information or data. This clarifies that Data Protection law applies wherever an organisation does anything that involves or effects information or data. ‘Automated processing’ – anything on a computer.
A data controller dictates how and why personal data is processed. They are the decision maker; for instance, a customer or an organisation.
A data processor is the party doing the actual processing of the data, for instance, an IT company or a payroll services provider who are storing and processing the data provided.
The data processor tends to blindly process data in accordance with the data controller’s wishes. For example: Customers of Staff Squared are the data controllers and Staff Squared itself is the data processor.
Consent in terms of data processing, means specific and informed indication of how any data should be used and processed.
A breach of security that leads to accidental, unauthorised or unlawful loss, access, alteration or disclosure of personal data.
The extent of the area or subject matter that something deals with, or is relevant to.
The quality of being relevant or appropriate.
Right to access
Data subjects hold the right to request and obtain confirmation from the data controller as to whether personal data concerning them is being processed, and for what purpose. Data subjects also have the right to request an electronic copy of the personal data, free of charge.
Right to be forgotten (Data Erasure)
The right to be forgotten entitles data subjects to have their personal data erased or halt the processing of the data. This includes the data no longer being relevant and the data subject removing consent. Controllers are required to compare the data subject’s rights to “the public interest in the availability of the data” when considering such requests.
Data Protection Officer (DPO)
Data Protection Officer appointment is mandatory for all public authorities, and some private companies. A DPO has formal responsibility to ensure that organisations are fully data protection compliant. The role includes informing and advising an organisation and its employees of their data protection obligations under the GDPR, monitoring the organisation’s compliance of the GDPR and to serve as the contact point for data subjects on privacy matters.
Privacy Impact Assessments (PIAs)
PIAs are a useful tool organisations can adopt to identify the most effective and efficient way to comply with and meet their data protection obligations. An efficient PIA enables organisations the ability to establish and correct problems at an early stage.
Privacy by design
The inclusion of data protection from the onset of the of the designing of a system, as opposed to an addition. Outlined by Article 23, controllers must only hold and process data that is necessary to complete its duties (data minimalisation), and limit access to personal data to those who are processing the information.
A method of overwriting information to completely destroy all history of any electronic data held on a hard drive or other digital media.