The most radical change in 20 years for personal data protection came into force in May 2018. The new set of regulations will significantly strengthen the protection of personal information for individuals across the EU including the UK – the General Data Protection Regulations or GDPR. In this article, we look at the obligations on organisations that hold and process personal data – and the significant levels of penalties if an organisation fails to deliver on its responsibilities.
The answer is almost certainly yes. The regulations apply to entities of all sizes and shapes that hold or process personal data both inside and outside of Europe. So, whether you are a sole trader, a public company, a non-profit or a school you need to be prepared.
The regulations are all about protecting an individual’s privacy, rights and people – and so data which is personal. The GDPR’s definition of “personal data” is extensive and includes a person’s physical, physiological, mental, economic, cultural, online or social identity. This broad definition of personal data easily covers the simplest records that relate, even indirectly, to customers, clients, staff, pupils and any other record relating to an individual.
Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health or data concerning a natural person’s sex life or sexual orientation is specifically called out.
There are child-specific provisions in the GDPR, particularly in relation to grounds for processing and notices. Children are identified as “vulnerable individuals” and deserving of “specific protection” with ability to add additional restrictions and precautions.
The section above looked at what is meant by “personal data” – “Processing” is what is done to the data. The GDPR takes a very broad view of what this means and covers the whole lifecycle of the data – from how and when it is collected, what is done with it to how it is finally deleted. Sending a routine email will constitute processing as it includes personal data related to the recipient. Storing, structuring and organising staff, member or customer information is processing. Reviewing an employee’s performance or providing feedback is “processing” and so will require permission.
The regulations refer to “Controllers” (they determine how and why personal data is processed) and “processors” (who act on the controller’s behalf). Controllers have to be open and honest about what they do with personal data, stick to the purpose for which it was collected, keep it current and accurate and delete when it’s no longer required. Processors have a greater legal responsibility to protect personal data under the GDPR than the DPA, in particular if they are responsible for a breach.
As we reviewed in part one, your employees, customers and members will have new powers to request detailed information on how their data is used, stored and protected – free of charge. They’ll have the right to access, port and even request erasure of their personal details. So, you will need to ensure that you have the processes in place to deliver on these rights – and to deliver them within the prescribed timescales.
Data protection legislation has included the principles of lawfulness, fairness and transparency for some time and now the GDPR goes further and adds the principles of accountability and governance. In essence, you must not only do the right thing, you must be able to show and prove that you are. This means you will need to implement privacy by design, with appropriate technical and organisational measures such as internal data protection policies, staff training, internal audits of processing activities, and reviews of internal HR policies. You will also need to maintain records of processing activities under your responsibility.
Privacy by design and default means that you must consider these issues right from the start of a project and not just tack them on as an afterthought. The Information Commissioner has always promoted this approach in the UK but it has not been a legal requirement under the Date Protection Act – but it will be under the GDPR. Data privacy by default means that an individual’s right is not to share any information – anything above this level requires the individual’s permission.
A key purpose of the GDPR is to protect an individual’s personal data, so of course security of personal data and its processing features strongly in the new regulations.
Both data controllers and data processors are jointly responsible for personal data protection which means that data controllers need to know more about sub-contractors (processors, such a cloud service providers or marketing agencies) than at present. All of us use cloud services to one extent or another – perhaps for storage (such as Dropbox or Google Drive) or applications (such as email, accounting or CRM). And sometimes your staff may elect to use a third-party service without your knowledge. Whatever the case, as a data controller, you will be held accountable for the security of the data.
The regulations specify that data should be held within one of the 28 EU countries, or a country that has an agreement with the EU. You not only need to understand and approve the technical and organisational competence of the third party, you need to understand where they hold the data you are accountable for.
In addition to the above, the regulations specifically bring out pseudonymisation and encryption of personal data as ways to protect personal data. The ICO has been encouraging the encryption of personal data on mobile devices for some time, now under the GDPR it becomes more explicit.
A personal data breach is much more than just loosing personal data and can involve the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. There has been considerable media coverage of high profile data breeches and the theft of personal data in recent times. So Data breeches do happen, regardless of the size of organisation and it’s only the big ones that get the publicity.
You will have the responsibility to notify the ICO and the individuals concerned if the breech is likely to result in a risk to the rights and freedoms of individuals. Where a breech meets the notifiable criteria, you must report the breech within 72 hours which is a tough requirement as it means you need the processes and systems to be in place to detect that a breech has occurred.
The regulations call out additional requirements when processing “Sensitive Personal Data”, when there are high risks to privacy and individual rights or carry out large scale processing of special categories of data. In these cases, organisations may need to conduct Data Privacy Impact Assessments. Both data controllers and processors will need to appoint a Data Protection Officer where the processing is carried out by a public authority, where processing requires regular and systematic monitoring of data subjects on a large scale, or where processing on a large scale of special categories of data.
The maximum level of fine available to the ICO is currently £500,000, but the GDPR raises the level significantly. Two levels of fine will be available:
In the next article, we will review the 12 steps the Information Commissioner recommends organisations take to prepare for the GDPR.
If you’d like to know more, please call us or complete the form below
We provide supportive leadership enabling our business community to succeed and prosper through effective use of IT and Technology. PAAC IT is an IT Company in Surrey offering small businesses the personal attention and care that their IT systems deserve. If your company has between 1 and 100 employees and need a IT Company in Surrey we would love to hear from you!Find out more
"PAAC IT provide a managed service for our PCs on a fixed monthly charge. Really great, they are there when we need them"Julia Macquisten - OwnerLucas Field Media
"PAAC-IT provide and maintain our Apple Macs and Macbook Pros. Richard and his team at PAAC IT are very prompt and responsive when we need help, and a pleasure to work with"David Alden - DirectorAlden Holmes
"Our business is highly dependent on computer technology – all the way from design and creative software platforms to administration processes. PAAC-IT set up and configured our mix of PC and Apple computers, file servers and security software and now keep it running. The team at PAAC-IT is very competent and keep our IT running smoothly"Edward Green - DirectorMilly Green
"I was having trouble making Skype calls to my son. Both Darren and Connor were extremely helpful and patient. They were so kind to get the computer in and out of the car for me - i couldn't have done this on my own as i am disabled"Jane Nightingale
"On moving house we required help of PAAC to coordinate a tablet, PC and laptop with new security and email addresses and to ensure transfer of old contact details etc. Some of this work was undertaken by Darren in the Midhurst shop and some at our new address. Darren was professional and helpful with successful results. PAAC also followed up with care to ensure that all was well. "A satisfied customer
"I have been dealing with PAAC IT, mostly in their Midhurst Office, but also in Haslemere, for the past three or four years. They clearly understand Macs and have given me good advice, and sorted out various issues for me. Things did go wrong with the network wireless adapters I had bought from them, but they were quick to ensure they were checked and replaced without a problem, and they followed up with me a month later to ensure all was OK. That’s good customer service!"James Tree
"Dynamite, goes the extra yard every time, reliable and essential support to my business."Lawrence MullenThe Talking Trade
"Good, dependable, brilliant, local"Anneke Clegg
"I have been using the services of PAAC IT for over two years. During this time I have found the staff to be courteous, understanding, and very efficient. I have received first class service on each and every occasion – from keeping my ancient computer running, to advising and supplying a suitable replacement when it eventually crashed. All my transactions have been with the team in the Haslemere shop where Richard, Mark, Darren and Oliver have addressed my computer difficulties with great patience and kindness. To them I am eternally grateful."Derek Smyth