Data protection was first implemented two decades ago and the technological advances since the late 1990s have been tremendous. Because of the introduction of high powered personal computers, laptops, tablets and smartphones, the amount of digital information being created, captured and stored has massively increased.
The increase means that current data protection laws are not sufficient as there are too many areas where data can be misused. The GDPR regulation completely overhauls current data protection laws that are no longer appropriate for our modern technological world.
The General Data Protection Regulation was created to better govern the way businesses handle sensitive personal data. The GDPR will regulate the way companies communicate and how they store and utilise client information. The regulation will encompass all businesses that are associated with a European member state.
The GDPR is a regulation as opposed to a directive which makes it different from its predecessors. A directive’s goals are outlined but how exactly they are implemented varies from country to country. This can create confusion and several e-mail laws make enforcing the directive complicated.
A regulation, however, is a binding legal agreement which means that failure to comply will result in serious penalties. All countries must abide by the same set of rules without exception.
Brexit will have no effect on the impact or implementation of the GDPR. Even after Britain leaves the EU, companies with subscribers or contacts in Europe will still be required to follow the same rules or face the consequences for failing to do so. The General Data Protection Regulation in the UK will be enforced by the Information Commissioner’s Office.
All provisions for the GDPR will be included in a new Data Protection Bill that the UK will be implementing. To summarise, the rules will be exactly the same for us as they are for any other EU member state.
All GDPR provisions will be implemented into the new Data Protection Bill as mentioned above. There are a few minor changes including a layer of protection for certain individuals including journalists, researchers and agencies involved in anti-doping. The bill is yet to pass as of this writing and has been the subject to some amendments already.
Once the Data Protection Bill is passed, the existing laws will be repealed and the new bill will come into full effect.
The regulation covers any and all data including personal and sensitive information that can be used to identify an individual. This includes but isn’t limited to all of the following:
Basically anything given out about a person will be covered by the regulation. The information above can be split into two categories – personal and sensitive. The list above largely relates to personal information whereas sensitive information includes but isn’t limited to the following:
While the definitions of the GDPR are largely the same as current data protection laws, the regulation will differ in one area which is that pseudonymised data can be covered but only if the individual in question can be identified by the pseudonym.
The introduction of GDPR will put a greater emphasis on transparency between a customer and the company whose services they’re using. The process of knowing exactly what type of information a business holds about you becomes a lot clearer now.
The regulation will also make the responsibility of businesses holding personal information more straightforward as the rules clearly outline what companies have to do in order to obtain the necessary consent. They will also need to be able to prove that consent has been given – any company that fails to follow the GDPR to the letter will face fines and other serious consequences.
The GDPR will make sure that the individual is always protected. All companies will be required to be completely honest about their processes and the individual will be afforded several new rights including all of the following:
The term “personal data” relates to anything that can be used to identify an individual which means that even a social media ID needs to be protected. All information must be obtained and processed with only the permission of the individual – this relates to everything a company does and needs to be written into the terms and conditions.
There are two types of consent that must be considered. The type of consent will depend upon whether the data being requested and processed is personal or sensitive. When it comes to personal data, unambiguous consent must be obtained. For sensitive data, explicit consent must be obtained.
Businesses will be more accountable than ever when it comes to the handling of personal information through the data protection policies, impact assessments and processing documents introduced by the GDPR.
Several major data breaches have occurred in the last year that have been all over the news. Such breaches – or any other situation that involves the loss, alternation, destruction, unauthorised disclosure or access to personal data – must now be reported. In the United Kingdom, they must be reported to the International Commissioner’s Office 72 hours after the breach occurs.
Companies with more than 250 employees must keep documentation on why information is being collected and processed – description of the specific types of information must also be given. This must be accompanied by further information on how long the data has been held and which security measures have been taken to effectively protect it.
Larger companies that practice systematic monitoring on a regular basis must employ or assign a Data Protection Officer. The DPO will serve as a point of contact for employees as well as making sure the GDPR is being complied with.
If you have previously requested access to personal data held about you by a company, you know that you had to submit a SAR – a Subject Access Request. This involved a £10 fee which will be eliminated under the GDPR. When an information request is made, the business has one month to provide all the requested data free of charge.
In case consent is withdrawn, the information was collected and processed unlawfully or the data is no longer relevant, an individual will be able to request that it be deleted. The individual will also have the right to an explanation about any decision made about them (rather than being subject to data being processed in an automated manner).
A breach of data protection refers to a situation where personal data is altered, disclosed, destroyed, lost or accessed without consent being given. All data breaches regardless of whether they are personal or sensitive need to be reported to the ICO.
Anything that can be used to identify an individual including name, address, social media ID and telephone number.
Any violation of the GDPR will result in heavy fines. This includes not employing a DPO or the incorrect collection or processing of data. The aim is to work with companies who are in violation of the rules so the situation can be improved which is why business-crippling fines will rarely ever be levied, if at all.
The specific amount that a company will be fined depends on the severity of the violation. Smaller offences will involve a fine of up to €10 million or 2% of the company’s global turnover – whichever is greater. Serious offences can invite a fine of up to €20 million or 4% of the company’s global turnover – whichever is greater.
A controller is an entity that is directly responsible for determining how personal data is used (and for what purpose). A processor is a person or group of people responsible for processing information that has been collected by the controller. Processing includes obtaining, adapting, recording and holding personal data.
The GDPR may seem daunting at first, however the long term implications will be hugely beneficial to individuals and businesses alike. This is because it will lead to greater engagement by demonstrating how seriously the company takes security and privacy. This will make customers feel more comfortable about entrusting their information.
If you are receiving a lot of unsolicited phone calls, you should request the company’s ICO registration number. You will be able to use this to check if the business has collected your personal data in compliance with the GDPR.
In case the company is not ICO registered, they are not compliant with the GDRP which means that the data was collected without your consent. Should this prove to be the case, you should report the company to the ICO including their contact number with your application.
You can get in touch with the ICO by calling 0303 123 1113.