Any businesses that were found to be in breach of the Data Protection Action 2018 could receive from the Information Commissioner’s Office (ICO), financial penalties as much as £500,000. With the urgent need for the Data Protection Act (DPA) to be reviewed, the DPA was replaced with the EU General Data Protection Regulation (GDPR). In summary, each and every business in the EU needed to comply with the GDPR Regulations from May 25th, 2018. Or potentially suffer from much stiffer financial penalties.
GDPR, the updated Data Protection Act 1998
If you have a business in the EU, then you will be aware of the General Data Protection Regulation, (the GDPR). 2012 was the year it all instigated when the European Commission laid down the basis to reform the data protection to be applied across all member states within the EU. These reforms were put in place to ensure that Europe is in line with an ever-evolving and modern digital revolution. That necessitated extra protection for users who readily divulge private information online. The implications of this new legit infrastructure apply to all the organisations in Europe but also globally for any organisation. That processes data of individuals within Europe.
What are the main entities of the GDPR?
Under the GDPR there are three data entities:
- The data controller can be a single person within an organisation, or it may be a public authority or agency.
Ultimately, the data controller is the body that determines “the purposes and means of processing of personal data”;
- The data processor can be a public body or an individual who carries out the processing of personal data on the controller’s behalf.
- Data Protection Officer is a new subject brought into force by the GDPR. The role of the DPO is “to ensure that an organisation processes the personal data of its staff, customers, data providers or any other individuals (also referred to as data subjects) with GDPR compliance with the applicable data protection rules.”
The GDPR places a higher level of responsibility upon processors and controllers who are legally required to ensure that GDPR. GDPR compliance is in place across the organisation and concerning all third-party contracts.
- The GDPR backbone is to ensure there are solid standards for the protection and privacy of data that is held by organisations but also to ensure that businesses can benefit in this global digital economy.
- The regulations are developed over many years to manifest how we live in this digital era, mainly while focusing on the areas of protection, privacy and consent.
- The GDPR Regulations have been designed in such a way as to not only regulate but to speed up global business internet usage.
The GDPR and online services
The bottom line is that every aspect of daily life now revolves online, whether it´s
- Social networking
- Online banking
- Online shopping
Each of these is essential examples, but the online experiences continue to change and evolve. The GDPR has been designed to cover existing and new developments efficiently unlike the now dated DPA 1998. Practically every online service is involved with the collecting and analysing of personal data, and most people are happy to accept and take privacy risks due to the convenience of using online services. Conversely, third party “behind the scene” organisations that track and monitor data online are the primary subject of the GDPR.
These organisations are typically ISPs, (Internet Service Providers), who are legally obliged to track and monitor data to ensure the smooth running of networks and prevent security attacks. ISPs have been permitted in many instances to collect and sell private data without permission and have access to billions of online e-commerce transactions which allows them to analyze data and understand individuals buying trends.
The GDPR, at last, has protected an individual’s data and information against such practices. Online conglomerates make it their business to collect data to compose a valuable resource of data to be sold to marketers and advertisers. Companies such as those listed below have been a huge financial success, not just down to the user experience that they offer. But mainly due to their rudimentary business models for advertising. Their ability to deliver related adverts to customers based on the previous browsing history.
Income is being generated by the likes of Facebook. Each time an advert is delivered to a target user or a link is clicked for example. Every click you make is tracked, and accessed by the likes of Facebook and based on your previous searches and browsing history. The websites know exactly what advertising should be displayed to you.
Internet privacy and the question of data collection and storage has been simmering for many years — the fact that data breaches are resulting in stolen or lost information and the negligent sharing of private data. Private data are the chief problem that the GDPR will hopefully resolve. Data breaches have been taking place for years but with the dated DPA regulations and financial penalties. They are not being sufficient to be a deterrent to the larger online businesses.
✓ Comply or Indemnify
The GDPR fines are way too higher than financial penalties under the DPA. The organisation will need to be GDPR compliant with the regulations. It is a mistake to assume that a small business will fall outside of these regulations, and actions. Should be taken to determine how data is collected and stored. There are substantial penalties and GDPR fines in place for noncompliance. The GDPR fines are far higher than financial penalties under the DPA.
✓ Protection of Data and Personal Information
Any types of information that may be classed as personal data. This will be data that has the potential to identify an individual, and includes but is not limited to:
- IP addresses
- Genetic data
- Biometric data
- Account numbers
Businesses are required to ensure that they have a GDPR compliance policy and procedure by undertaking an action plan to determine:
- How is data captured?
- How is the data held?
- How will the data be used?
- Where is it going, is it outside of the EU?
Once this exercise is established, your business must carry out impact assessments on data protection and privacy. To help your organisation to identify and deal with potential issues in the event of a security breach. How your business deals with a GDPR data breach is a process of paramount importance. One that has to be taken seriously when achieving GDPR compliance.
Article 35 of the GDPR gives guidance and downloads on what an impact assessment should contain; this is essential information. For every business to understand and ensure GDPR compliance. A detailed policy, including GDPR training to spread awareness across all departments. Should be drawn up making certain all safeguards and security measures are in place to determine. How any risk can be kept to an absolute minimum, and what should happen in the event of any breach.
The emphasis for all organisations should be on policies, procedures, and systems which are designed for data protection in mind. It is crucial in this digital age that organizations have effective and integral security in place to protect the data they hold.
✓ Rights of Individuals
A major change brought about by the GDPR is a greater array of rights by individuals to control how their private data is used including rights to:
- Understand what data and information is held
- to refuse the use of such data and ;
- To have the right to have personal data held by organisations deleted.
✓ Fair and Transparent Data Processing
The GDPR has imposed duties upon businesses to provide detailed explanations directly to their data subjects in a clear and transparent manner. Businesses are being urged therefore to incorporate these explanations into their policies and procedures in such a way as to make them available to individuals. Such policies have to provide a comprehensive outline of the basis and purpose of the organisation´s for personal data use, to protect act.
Extra Issues to take into consideration
✓ Data Breaches
All organisations should be utterly aware across all departments and personnel as to what would constitute a security breach.
The GDPR stipulates:
“A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches as a outcome of both accidental and deliberate causes. It also means that a breach is not just about losing personal data.”
The ICO website is a useful resource to have a more detailed explanation about data breaches and clear examples of what constitutes a breach.
It will significantly assist an organisation in providing thorough GDPR training and having in place strict policies and procedures. This is vital to abet all personnel recognize and apprehend any breach and to know how to act when any breach occurs.
✓ Third Party Contracts
Many organisations use third-party suppliers and contractors, it is the norm in business but how will this be affected under the GDPR?
Any well-reputed organisation will always want to avoid entering into detrimental relationships with third-party businesses. A method of ensuring that your organisations remain compliant is to carry out checks on each of your suppliers to understand that they too comply with the GDPR regulations. Regardless of where your suppliers are based. If they are holding and processing data from the EU, they must also adhere to the GDPR. Due diligence background checks upon existing and new suppliers and business partners will help to avoid risks and potential problems in the future.
GDPR and Data Protection Act 1998 Summary
The GDPR is all about creating transparency and long term trust between organisations and their data subjects. It is clear the GDPR has come a long way since the DPA law of 1998, and this is clearly what has been needed for so many years. The provisions change the way in which data is acquired along with consent from individuals and by implementing well thought out policies and procedures. This will ensure your organisation is GDPR compliant and avoid GDPR fines for not adapting to the regulations. Regular reviews of the GDPR and keeping abreast of your policies and procedures will ensure you stay GDPR compliant and also gain the trust and reputation of not only your customers but other third-party organisations who would like to develop business services with likewise compliant organisations.
How to be GDPR Compliant?
There is much more to understand to make your business GDPR compliant, far more than was necessary for the Data Protection Act 1998. Companies such as Seers, offers GDPR consultancy and Data Protection Services. Offering the resources and tools to ensure that your business does not fall foul to the hefty GDPR fines. Robust AI software solutions create custom based data protection solutions giving your organisations GDPR compliance a far more structured and proven approach.