What is GDPR?
The need to know guide on GDPR compliance and Data Protection in the UK
General Data Protection Regulation ( GDPR ) governs how businesses process and handle data. This summary GDPR guide explains what GDPR means for companies and individuals
Europe is regulated by the world’s most strict data protection rules. The agreed General Data Protection Regulation (GDPR) came into effect on May 25, 2018. The regulation was designed to update and enhance existing laws protecting personal information of individuals.
Prior to GDPR being enforced, existing data protection rules in Europe were dated back to the 1990s. Therefore had become outdated with advancement of technological and Cyber Security threats. The GDPR changes how businesses and other organisations handle information of their clients. Holding the companies responsible for securely handling data while strengthening the position of the individual with the rights and control over their information.
GDPR brings in changes for data protection in ways of, accountability for misuse or mis handling, transparency to the those which the data is held and regulatory fines for non-compliance.
Who the rules relate to, what data is covered and how GDPR should be implemented in a company is a question most often requested. The article summarises the core understanding of GDPR.
There are new rights for people to access the information companies hold about them, obligations for better data management for businesses, and a new regime of fines. This GDPR Guide will give the high level information below.
What is GDPR?
GDPR is framework introduced in Europe for data protection laws – replacing the 1995 data protection directive it brings the law up to date to meet today’s world of technology and cybercrime.
The EU’s legislation wit GDPR is to align data privacy laws across Europe along with more protection and rights to the individuals.
GDPR was adopted in 2016 by the European Parliament and the European Council. The documented regulation and directive was published in April 2016.
GDPR come into force on the May 25, 2018 with a 2 year preparation period allowing businesses and public bodies to prepare for the changes.
Due to Brexit the UK has implemented a new Data Protection Act (2018) which largely includes all the provisions of the GDPR. There are some small changes but UK law is largely the same as EU GDPR.
WHO IS CURRENTLY IN CHARGE OF GDPR IN THE UK?
The Government
The Department for Culture, Media and Sport is the government arm responsible for ensuring that UK law complies with the requirements of GDPR. The government body was also responsible for creating the UK’s Data Protection Act but won’t have control of the day-to-day elements of GDPR once it is enforced.
The Regulator
The Information Commissioner’s Office (ICO) will be responsible for enforcing GDPR. The ICO has the power to conduct criminal investigations and issue fines. It is also providing organisations with huge amounts of guidance about how to comply with GDPR.
What did GDPR replace?
GDPR applies across Europe however, understanding one size fits all, countries are able to make minor changes to suit local requirements. In addition to GDPR there is also the Data Protection Act (2018) in the UK.
The UK’s Data Protection Act was passed into law just prior to GDPR coming into force and passed through the House of Commons and also the House of Lords. Further reading on the UK’s Data Protection Act 2018 is available here.
Will I be impacted by GDPR?
There are considerations but as a rule of thumb, yes. Individuals, organisations, and companies fill the role of either a ‘controllers’ or ‘processors’ of personal data under the GDPR.
Personal data and also sensitive personal data are covered under GDPR.
Personal data, is information that can directly or indirectly be used to identify a person. This could be Tax Reference Number, name, email address, telephone number, work ID, IP address. An data that if pieced together could identify an individual would be personal data.
Sensitive personal data covers data that basically could be used to form judgement on a person. This could be religion, sexual orientation, politics, race, country of origin etc.
There are eight rights an individual has under GDPR. These allow individuals easier access to data companies hold on them. Non-compliance can result in fines and so there needs to be a clear and transparent responsibility for organisations to obtain individuals consent when they collect information about them. This is obvious on many websites now with data protection warning pop ups.
Start ups, and also established companies need to ensure they are compliant with GDPR to avoid fines and other regulatory punishment. Many start-ups to begin with hold no data so this can be over looked so caution is advised.
For companies that have more than 250 employees, documentation is needed of why people’s information is being collected and processed. Also required are descriptions of the information that is held, along with how long it will be kept and descriptions of data security and other measures in place protecting information.
Accountability and compliance
Organisations covered by GDPR are accountable for their handling of an individual’s personal information. Because of this recommendations can’t be stressed high enough for data protection policy and procedures and impact assessments.
History of Data Breaches
There have been many high profile data breaches which have included millions of details exposed from sites such as MySpace, LinkedIn.
GDPR, states that the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data has to be reported to a countries data protection regulator. This is if it could have a detrimental impact on those people who it is about. This can include, financial loss, confidentiality breaches, reputation damage and more. The ICO has to be told about a breach 72 hours after an organisation finds out about it along with the individuals impacted
A data protection officer role (DPO) should be introduced where “regular and systematic monitoring” of individuals at large scales or that process high amounts of sensitive personal data.
For large organisations which need compliance with GDPR hiring a new staff member or expanding an existing roe may be needed. A DPO reports to senior staff, monitors company compliance with GDPR while being the main contact for employees and customers. Because of this role structure board members and directors can be directly held accountable.
Consent is also a requirement for businesses before processing data in various situations. A clear explanation that consent is being given which also includes information on “positive opt-in”.
Accessing Personal Data
In addition to the laws governing companies and organisations on collecting personal data, GDPR also gives individuals power allowing them access of information held about them.
The Subject Access Request (SAR) law gives individual the ability to request companies and organisation to provide data held on them. Previously, these requests could come at a cost however the GDPR scrapped the charge allowing free requests of information. After an SAR businesses have up to 1 month to provide the information. Because of this easy of request and deadline organisations should ensure they have the correct systems and procedures in place for compliance.
The regulation law also allows individuals to request that their personal data is erased, but not in all circumstances. Request compliance include where there is no longer a purpose for which it was originally collected, if consent by the individual is withdrawn, there’s no legitimate interest, and/or the data was unlawfully processed.
GDPR fines
GDPR has the ability for regulators to fine organisations that breach it’s rules. If an organisation does not process an individual’s data correctly a fine can be issued. Fines can also be incurred where a company is required but doesn’t create a role of data protection officer (DPO), A security breach can also be the reason of a fine. Fore this reason Cyber security policies, procedures and Software need to be introduced de-risking a cyber security breach .
The GDPR states that smaller offences could result in fines of up to €10 million, or two per cent of a firm’s global turnover, whichever is greater. More serious offenses can result in fines of up to €20 million or four per cent of a firm’s global turnover, whichever is greater.
It has been noted that fines maybe lenient on companies that have shown awareness of the GDPR guide and laws and tried to implement it, when compared to those that haven’t made any effort. However this is not an excuse for non compliance of GDPR
GDPR Notable Company Fines
Organisation | Amount | Reason(s) |
Google LLC | €50 million | Insufficient transparency, control, and consent over the processing of personal data for the purposes of behavioural advertising.[5][6] |
Marriott International | £99 million | Failure to undertake sufficient due diligence when acquiring Starwood hotels group, whose systems where compromised in 2014, exposing approximately 339 million guest records |
British Airways | £183 million | Use of poor security arrangements that resulted in a 2018 web skimming attack affecting 500,000 consumers. |
1&1 Ionos | ######## | Insufficient protection of personal data, failing to put “sufficient technical and organizational measures” in place to protect customer data in its call centres. Violation of article 32 of GDPR |
Online retailer Morele.net | € 645,000 | Insufficient protection of personal data, leading to the exposure of data of about 2.2 million people |
HagaZiekenhuis | € 460,000 | Insufficient security of medical records |
Hospital do Barreiro | € 400,000 | “…based on access policies to databases, which allowed technicians and physicians to consult patients’ clinical files, without proper authorization.” |
Sergic (real estate services) | € 400,000 | Failure to implement appropriate security measures; failure to define appropriate data retention periods for the personal data of unsuccessful rental candidates. |
La Liga | € 250,000 | Poorly disclosing purpose for requesting GPS and microphone permissions within the football league’s mobile app. When the app was open, it transmitted the user’s location if it detected an acoustic fingerprint embedded within game telecasts. This was used to help pinpoint the locations of venues that may be screening the games from unauthorized feeds. |
Marriott International | € 235,000 | Failure to implement necessary technical and administrative and measures to ensure data security and breaching notification obligations |
Brexit and GDPR
GDPR is almost identical to the UK’s 2018 Data Protection Act. This is so that when the UK leaves the EU minimal disruption to businesses should occur. After the UK leaves, GDPR will continue in protecting the rights of EU citizens with businesses and organisations not having to change their policies.
As with things Brexit this is still under discussions and looks like a further changes will come into effect after a settling in period. This What is GDPR guide can be used as an over view although laws will be changing and further reading from government sites recommended.
Datplan has been providing cyber security, fraud detection and data analysis services for over 20 years in the finance and insurance sector.