How well companies are storing your data before the General Data Protection Regulation?
In the past few months, more so in the past few weeks, we have been receiving letters and emails upon emails from companies about privacy policies changing. Most people, if not all are probably thinking about what is all this about; most specifically what is GDPR (General Data Protection Regulation).
The Data Protection Act 1998 until the 25th May 2018 was the UK law governing how personal data is processed, stored and protected by organisations, businesses and even the government.
Controllers with access to this data followed somewhat strict rules known as the ‘data protection principles’ which means that they had to ensure the information they have access to. Data Subject Access Requests (DSAR) is one of the data subject rights conferred under the General Data Protection Regulation (GDPR).
- Used fairly and lawfully
- Utilised for limited, specifically stated purposes
- adequately used, relevant and not excessive
- Kept for no longer than is necessary
- Handled according to people’s data protection rights
- Kept safe and secure
- Not transferred outside the EEA without adequate protection
With especially more stringent legal protection for sensitive information such as:
- Ethnic background
- Political opinions
- Religious beliefs
- Sexual health
- Criminal records
If the Data Protection Act 1998 was effective in safeguarding citizens’ personal information then why has the General Data Protection Regulation been introduced and why is every company so serious about incorporating this?
Possibly, because many corporate giants are misusing this information in light of recent advancements and developments of modern technologies. Therefore, the Data Protection Act 1998 failed to provide a useful safeguarding measure for the data of today.
Living in a data-central world; all interactions, everything we search, buy or even post on social media is processed and stored by organisations to target and tailor those specific advertisements you see across your Facebook page or even Instagram. Surprised? Well, while this may make life easier, convenient and connected, is anyone aware of what their data is exactly being used for apart from these adverts, it could also be sold to third parties without knowledge or consent. This is why the GDPR came into effect.
The GDPR and following on from this the Data Protection Act 2018 ensures this personal data used properly and legally in this data center world and does not allow organisations to circumvent the previous Data Protection Act and Directive by placing specific legal obligations on organisations making them severely liable for any breaches.
It builds upon the 1998 Act by obligating organisations to be more transparent, accountable, places limits on storage as well as strengthens confidentiality. Additionally, both the GDPR and the Data Protection Act 2018 emphasize the importance of the rights available to citizens such as; access, being informed, rectification, data portability, process restriction, and objection.
But isn’t this an EU regulation, after Brexit, it will become irrelevant?
While the GDPR may be replacing the previous EU directive and enforcing it as a regulation. It is significant for controlling data of EU citizens by companies outside the EU as well as within. Therefore, the Data Protection Act 2018 enshrines the GDPR into British law and covers data processing. That does not fall under EU law and adjusts the standards to accommodate and work in the national context.
The ICO welcomed the Data Protection Act 2018 eagerly. It believes to “give the UK one of the world’s most progressive data protection regimes”. Rightly so it is a landmark shaping the future of data confidentiality. By preventing theft of identity and exploitation of data by corporate giants and entrenching human rights.