Listen to Article
The GDPR regulation of May 25th, 2018 provided much needed improvements to the Data Protection Act (DPA) of 1998. It was felt by many to be long overdue, with the DPA no longer fit for the purpose for which it was originally designed.
The guideline of DPA 1998 stated that business in the United Kingdom, that are collecting, storing or processing individual’s personal details and information, must adhere to the regulations as defined by the Data Protection Act of 2018.
For businesses that did not adhere to these regulations, fines could be issued to the organisations of up to £500,000 for failure to comply with the Data Protection Act. Any fines issues under the DPA were typically for data breaches and very often not issued.
However, the Data Protection Act 1998 had become outdated as the way businesses manage and use personal data has completely changed with online shopping, social media due to analysis and online marketing using personal data and trends.
Summarising the principles of the DPA
The Data Protection Act 1998 was applicable to all UK based businesses and organisations that were holding or processing individuals personal data and information. A set of guidelines were available for businesses, mainly for self-management.
The keys points of the DPA are set out below, these were the fundamental points that businesses needed to comply with to meet the regulations set out by the DPA.
Businesses and organisations must ensure that personal data is
» Used properly and legally;
» is fairly acquired, held and processes for only specified purposes;
» the information should be sufficient and relevant and by no means excessive;
» should be accurate and kept up to date;
» data should not be retained for an excessive period if no longer applicable;
» individual’s rights should always be considered when processing data;
» the data is securely stored and processed;
» should not be transferred outside of the UK unless sufficient legal protection is in place.
Any businesses that were found to be in breach of the Data Protection Action 2018 could receive from the Information Commissioner’s Office (ICO), financial penalties as much as £500,000
With the urgent need for the DPA to be reviewed, the DPA was replaced with the EU General Data Protection Regulation (GDPR). In summary, each and every business in the EU needed to comply with the GDPR regulations from May 25th, 2018, or potentially suffer from much stiffer financial penalties.
GDPR, the updated Data Protection Act 1998
If you have a business in the EU, then you will be aware of the General Data Protection Regulation, (the GDPR).
It all started in 2012 when the European Commission laid down the basis of reforms of data protection to be applied across all member states within the EU.
These reforms were put in place to ensure that Europe is in line with an ever-evolving and modern digital revolution that requires extra safeguards and protection for users who readily divulge private information online.
The implications of this new legal infrastructure apply not only to all organisations in Europe but also globally for any organisation that processes data of individuals within Europe.
What are the main entities of the GDPR?
Under the GDPR there are three data entities:
- The data controller. This may be a single person within an organisation, or it may be a public authority or agency.
Ultimately, the data controller is the body that determines “the purposes and means of processing of personal data”;
- The data processor. Again, this may be an individual or public body who carries out the actual processing of personal data on behalf of the controller.
- Data Protection Officer. This is a new entity brought into force by the GDPR and the role of the DPO is “to ensure that an “organisation processes the personal data of its staff, customers, data providers or any other individuals (also referred to as data subjects) with GDPR compliance with the applicable data protection rules”
The GDPR places a higher level of liability upon processors and controllers who are legally required to ensure that GDPR compliance is in place across the organisation and with respect to all third party contracts.
» The GDPR backbone is to ensure there are solid standards for the protection and privacy of data that is held by organisations but also to ensure that businesses can benefit in this global digital economy.
» The regulations have been developed over many years to reflect how we live now, in this digital era, especially focussing on the areas of protection, privacy and consent.
» The GDPR regulations have been designed in such a way as to not only regulate but to speed up global business internet usage.
The GDPR and online services
The bottom line is that every aspect of daily life now revolves online, whether it´s
» Social networking
» Online banking
» Online shopping
Each of these are important examples, but the online experiences continue to change and evolve. The GDPR has been designed to cover existing and new developments efficiently unlike the now dated DPA 1998.
Practically every online service is involved with the collecting and analysing of personal data and most people are happy to accept and take privacy risks due to the convenience of using online services.
Conversely, third party “behind the scene” organisations that track and monitor data online are the primary subject of the GDPR.
These organisations are typically ISPs, (Internet Service Providers), who are legally obliged to track and monitor data to ensure the smooth running of networks and prevent security attacks.
ISPs have been permitted in many instances to collect and sell private data without permission and have access to billions of online e-commerce transactions which allows them to analyse data and understand individuals buying trends.
The GDPR, at last, has protected individual’s personal data and information against such practices.
Online conglomerates make it their business to collect data to compose a valuable resource of data to be sold to marketers and advertisers.
Companies such as those listed below have been a huge financial success, not just down to the user experience that they offer, but mainly due to their fundamental business models for advertising and their ability to deliver relevant adverts to users based on the previous browsing history.
Income is being generated by the likes of Facebook, each time an advert is delivered to a target user or a link is clicked for example. Every click you make is tracked, and accessed by the likes of Facebook and based on your previous searches and browsing history, the websites know exactly what advertising should be displayed to you.
Internet privacy and the question of data collection and storage has been simmering for many years. The fact that data breaches resulting in stolen or lost information and the negligent sharing of private data is the chief problem that the GDPR will hopefully resolve.
For too many years, data breaches have happened but with the dated DPA regulations and the financial penalties not being sufficient to be a deterrent to the larger online businesses.
Comply or Indemnify
The GDPR provides that all businesses that collect and process data, regardless of the size of the organisation, will need to be GDPR compliant with the regulations.
It is a mistake to assume that a small business will fall outside of these regulations, and actions should be taken to determine how data is collected and stored.
There are substantial penalties and GDPR fines in place for non compliance, the GDPR fines are far greater than financial penalties under the DPA.
Protection of Data and Personal Information
Any types of information that may be classed as personal data. This will be data that has the potential to identify an individual, and includes but is not limited to:
- IP addresses
- Genetic data
- Biometric data
- Account numbers
Businesses need to ensure that their organisation has a GDPR compliance policy and procedure by undertaking an action plan to determine:
» How is data captured?
» How is the data held?
» How will the data be used?
» Where is it going, is it outside of the EU?
Once you have established this exercise, your business should carry out impact assessments on data protection and privacy, to help your organisation to identify and deal potential issues in the event of a security breach.
How your business deals with a GDPR data breach is a process of paramount importance and one that needs to be taken seriously when achieving GDPR compliance.
Article 35 of the GDPR gives guidance and downloads on what an impact assessment should contain, this is essential information for every business to understand to ensure GDPR compliance.
A detailed policy, including GDPR training to ensure awareness across all departments, should be drawn up making certain all safeguards and security measures are in place to determine how any risk can be kept to an absolute minimum, and what should happen in the event of any breach.
The emphasis for all organisations should be on policies, procedures and systems which are designed with every aspect of data protection in mind.
It is crucial in this digital age that organisations have effective and integral security in place to protect the data they hold.
Rights of Individuals
A major change brought about by the GDPR is a greater array of rights by individuals to control how their private data is used including rights to:
- Understand what data and information is held
- refuse the use of such data and ;
- to have the right to have personal data held by organisations deleted.
Fair and Transparent Data Processing
The GDPR has imposed duties upon businesses to provide detailed explanations directly to their data subjects in a clear and transparent manner.
Businesses are being urged therefore to incorporate these explanations into their policies and procedures in such a way as to make them available to individuals.
Such policies should provide a comprehensive outline of the organisation´s basis and purpose for the use of personal data.
Extra Issues to take into consideration
All organisations need to be fully aware across all departments and personnel as to what would constitute a security breach.
The GDPR stipulates:
“A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”
The ICO website is a useful resource to have a more detailed explanation about data breaches and clear examples of what constitutes a breach.
It will greatly assist an organisation to provide thorough GDPR training and have in place strict policies and procedures, this is essential to help all personnel recognise and apprehend any breach and to know how to act when any breach occurs.
Third Party Contracts
Many organisations use third party suppliers and contractors, it is the norm in business but how will this be affected under the GDPR?
Any organisation with a good reputation will always want to avoid entering into detrimental relationships with third party businesses.
A method of ensuring that your organisations remain compliant is to carry out checks on each of your suppliers to understand that they too comply with the GDPR regulations.
Regardless of where your suppliers are based if they are processing or holding data from the EU, they must also adhere to the GDPR regulations.
Due diligence background checks upon existing and new suppliers and business partners will help to avoid risks and potential problems in the future.
GDPR and Data Protection Act 1998 Summary
The GDPR is all about creating transparency and long term trust between organisations and their data subjects. It is clear the GDPR have come a long way since the DPA of 1998, and this is clearly what has been needed for so many years.
The provisions change the way in which data is acquired along with consent from individuals and by implementing well thought out policies and procedures. This will ensure your organisation is GDPR compliant and avoid GDPR fines for not adapting to the regulations.
Regular reviews of the GDPR and keeping abreast of your policies and procedures will ensure you stay GDPR compliant and also gain the trust and reputation of not only your customers but other third party organisations who would like to develop business services with likewise compliant organisations.
How to be GDPR Compliant?
There is a lot to understand to make your business has GDPR compliance, far more than was necessary for the Data Protection Act 1998.
Companies such as Seers, offer GDPR consultancy and Data Protection Services. Offering the resource and tools to ensure that your business does not fall foul to the large GDPR fines. Powerful AI software solutions create custom based data protection solutions giving your organisations GDPR compliance a far more structured and proven approach.