Data protection in the UK
In 1998, the UK parliament passed the Data Protection Act (DPA) in order to safeguard individuals’ personal data when used by enterprise, non-profits and the government. Currently the DPA legislation ensures that personal data is used fairly and within the law, is used for specifically stated purposes within a reasonable timeframe, and that your data remains safe and secure. All businesses, organisations and government entities are required to adhere to the DPA.
Almost every company relies on some forms of personal data. As such, a business is categorised as a ‘data controller’ and must register with the Information Commissioner’s Office (ICO) whose role it is to uphold information rights in the public interest.
The DPA and ICO guidelines should not be taken lightly. Any business breaching the DPA or failing to abide by ICO policy pertaining to personal data can face hefty fines or even a prison sentence. For those thinking that the ICO is a joke, check out these statistics: In 2010, the ICO imposed two fines totalling £160,000 for DPA-related non-compliance. As of August 2017, 44 companies had been fined totalling £3,107,500. With that number in mind, it pays for you and your business to be informed and compliant.
GDPR to replace DPA
The EU General Data Protection Regulation (GDPR) came into force in May 2016 and the legislation aims to unify and streamline data protection laws within the European Union. The GDPR will become law in all 28 EU member states on 25 May 2018, replacing the DPA in the United Kingdom and the data protection directive 95/46/EC across Europe.
The GDPR was developed to consolidate and fortify data protection for all EU citizens and residents. Simply put, the legislation will mean that individuals will procure control over their personal data. The GDPR aims to simplify data regulation for international business and includes specific guidelines for the export of personal data outside the EU. Unlike directives, where member states have the freedom to decide how to incorporate these into national law, the GDPR is directly binding and applicable to EU member states.
With GDPR enforcement just around the corner, you’ll need to know what the GDPR means for your business and what to do to guarantee regulatory compliance.
GDPR: what to know
While the protection of personal data is still paramount for the upcoming GDPR, the law broadens the DPA in many ways. For example, the definition of personal data is more expansive, the appointment of a data protection officer (DPO) is mandatory and there are added requirements for data breach notification. Take a look at four important GDPR key changes that may impact on your business.
Personal data definition
The GDPR has a wider definition of personal data. This means that more data is encompassed in regulatory confines. Data privacy is extended to include an individuals’ genetic, mental, economic cultural or social identity. Companies are required to be cognisant of these factors and take the initiative to reduce the quantity of personal data that they store. Moreover, businesses must ensure that they do not store information for any longer than necessary. When accessing client or customer personal data, you must have their valid consent. An individual must provide clear and affirmative consent prior to data access and processing. The GDPR states that ‘silence or inactivity does not constitute consent.’
Data Protection Officer
The GDPR stipulates that all public or government bodies must have a DPO. Private corporations that have ‘regular and systematic monitoring of data subjects on a large scale’ must appoint a DPO. A DPO is also required for companies processing ‘special categories of personal data’ on a large scale. The GDPR does not prescribe credentials for your DPO but the regulation states that they have ‘expert knowledge of data protection law and practices.’
Data breach notifications
Company data controllers and processors will need to report all data breaches to their data protection authority, the ICO in the UK. Exceptions will be made if the breach does not pose a risk to ‘the rights and freedoms of the data subjects in question.’ The ICO or other relevant bodies must be notified within 72 hours of the breach being noticed. If there is a high risk to individuals, the parties involved must be informed.
The GDPR clearly states that data processors will have legal obligations and responsibilities. By extension, this means that they can be held accountable for data breaches. Data controllers and processors will need to clearly spell out and document their individual responsibilities with respect to the use of sensitive information. In essence, this means that your company has greater accountability and liability when it comes to processing data of a personal nature.
Privacy by design
Privacy by design is a strategy that promotes privacy and data protection from the outset. Currently, this is not a requirement of the DPA. The GDPR, however, will enforce privacy by design from inception of any service involving processing of personal data. GDPR privacy by design also imposes the requirement that data should only be collected for specific purposes. Furthermore, to protect individuals’ privacy rights, data must be discarded when no longer needed or in use.
GDPR: what to do
You may be thinking: ‘We’ve got a lot to do before 25 May next year.’ Well, maybe. First see how many of these questions you can honestly give a positive response to and gauge your company’s readiness for GDPR.
- Are you raising awareness among your employees about the implementation of GDPR and its implications for business?
- Have you documented all the personal data held by your business, including where it came from and with whom it is shared?
- Have you designated responsibility for data protection to a suitably qualified and experienced employee?
- Have you reviewed your current privacy protocol and do you have a plan in place to accommodate the necessary changes in time for the GDPR deadline?
- Have you checked your data protection procedures to ensure that you can protect the rights of individuals as required by the GDPR?
- Has your business implemented sound procedures so that any personal data breaches are detected, reported and investigated in a timely and effective manner?
How did you score? Hopefully, the ‘yeses’ outnumber the ‘noes’. There are many other questions you will need to reflect on and answer to be fully prepared for the execution of GDPR. But not to panic, you’ve got time to plan, consult and be prepared for the changes that will occur next year. Accessing the ICO website is a good place to start in developing a game plan for GDPR readiness.
The GDPR one-stop shop
Is the GDPR simply another mass of convoluted rules and regulations designed to complicate your business operations? The simple answer is no. The GDPR has many benefits, especially if you work between two or more EU states. From May next year, you will deal with a single data protection supervisory authority, not one for each country. Essentially the GDPR is a one-stop shop that will promote simplicity and cost saving for businesses.
Get ready for GDPR
If you haven’t realised it before, you should now: data protection must be taken seriously. Unfortunately, data breaches are integral to business operations and are happening more frequently and with greater severity. Verizon’s 2016 Data Breach Investigations Report states, ‘no locale, industry or organization is bulletproof when it comes to the compromise of data.’
There’ll be more current news and advice on the General Data Protection Regulation in the Zhero Report out on 1st January 2018. Also, you can join the Zhero mailing list for updates on GDPR and more.
