How well was your data stored by companies before the General Data Protection Regulation?
In the past few months, more so in the past few weeks, we have been receiving letters and emails upon emails from companies about privacy policies changing. Most people, if not all are probably thinking what is all this about; most specifically what is GDPR (General Data Protection Regulation).
The Data Protection Act 1998 until the 25th May 2018 was the UK law governing how personal data is processed, stored and protected by organisations, businesses and even the government.
Controllers with access to this data followed somewhat strict rules known as the ‘data protection principles’ which meant that they had to ensure the information they had access to was;
- Used fairly and lawfully
- Used for limited, specifically stated purposes
- Used in a way that is adequate, relevant and not excessive
- Kept for no longer than is necessary
- Handled according to people’s data protection rights
- Kept safe and secure
- Not transferred outside the EEA without adequate protection
With especially more stringent legal protection for sensitive information such as:
- Ethnic background
- Political opinions
- Religious beliefs
- Sexual health
- Criminal records
If the Data Protection Act 1998 was effective in safeguarding citizens’ personal information then why has the General Data Protection Regulation been introduced and why is every company so serious about incorporating this?
Possibly, because many corporate giants had been misusing this information in light of recent advancements and developments of modern technologies, therefore, the Data Protection Act 1998 failed to provide a useful safeguarding measure for the data of today.
Living in a data-central world; all interactions, everything we search, buy or even post on social media is processed and stored by organisations to target and tailor those specific advertisements you see across your Facebook page or even Instagram. Surprised? Well, while this may make life easier, convenient and connected, is anyone aware of what their data is exactly being used for apart from these adverts, it could also be sold to third parties without knowledge or consent. This is why the GDPR has been enforced.
The GDPR and following on from this the Data Protection Act 2018 ensures this personal data is used properly and legally in this data centre world and does not allow organisations to circumvent the previous Data Protection Act and Directive by placing specific legal obligations on organisations making them severely liable for any breaches.
It builds upon the 1998 Act by obligating organisations to be more transparent, accountable, places limits on storage as well as strengthens confidentiality. Additionally, both the GDPR and the Data Protection Act 2018 emphasises the importance of the rights available to citizens such as; access, being informed, rectification, data portability, process restriction and objection.
But isn’t this an EU regulation, after Brexit it will become irrelevant?
While the GDPR may be replacing the previous EU directive and enforcing it as a regulation, it is significant for controlling data of EU citizens by companies outside the EU as well as within. Therefore, the Data Protection Act 2018 enshrines the GDPR into British law and covers data processing that does not fall under the scope of EU law and adjusts the standards to accommodate and work in the national context.
The Data Protection Act 2018 is welcomed eagerly by the ICO and believes it will “give the UK one of the world’s most progressive data protection regimes”. Rightly so it is a landmark shaping the future of data confidentiality and preventing theft of identity and exploitation of data by corporate giants and entrenching human rights in regards to data processing.