Here’s What No One Tells You About GDPR, Data Protection - 9 Steps you should take to comply with GD
On 25th May 2018 the European General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) comes into force. The GDPR will be applicable in the UK despite the UK’s exit from the European Union, at the time of writing the Data Protection Bill incorporating GDPR had its third reading, making its way through Parliament.
This article aims to provide you with an explanation as to what data protection is, why the changes have been introduced and 9 steps you can take to help your business.
Information Commissioner, Elizabeth Denham talks in the video below about the importance for companies to act and comply with the regulation to bring greater protection to individuals and stronger consumer rights as data is shared across borders.
What are the consequences of non-compliance with GDPR?
The fines imposed by the regulation will give authorities more investigative and enforcement powers with the power to levy more substantial fines.
Article 58 of the GDPR provides the supervisory authority with the power to impose administrative fines, furthermore Article 83 sets out the criteria to determine the amount of the fine which considers factors such as the nature of the infringement, intention, whether any preventative measures were put in place, history and cooperation to name but a few.
For example, if the breach is for lack of technical measures, the infringement could be for an amount greater of 10 million Euros or 2% of global annual turnover of the business for the previous year. If there was a breach of a key provision of GDPR then regulators have the authority to fine the greater of 20 million Euros or 4% of global annual turnover in the prior year.
Fines will be assessed by Data Protection Authorities, in the UK this will be the Information Commissioners Office ('ICO')
Background, what is Data Protection?
In a nutshell, data protection is the process of safeguarding important information from corruption, compromise or loss.
The basic principles of data protection were introduced in the 1950’S under Article 8 of the European Convention of Human Rights (“The Convention”) and further enshrined in Article 8 of the EU Charter of Fundamental Rights.
The Convention provided that everyone had the right to respect for their private and family life, home and correspondence. Furthermore, it stated that there shall be no interference from a public authority unless there is a reason by law in the interests of national security, pubic safety, economic well-being of the country, prevention of disorder or crime, protection of health or morals or for the protection of the rights and freedoms of others.
Following the initial Data Protection Act in 1984, the 80’s and 90’s saw an unprecedented explosion in the availability and use of computers, thereby changing the way data was collected, processed and how it crossed borders within the EU, the existing act was insufficient and therefore following the 1995 EU Directive (95/46/EC) on data protection, the English Act was amended.
The Data Protection Act 1998 (“DPA”) is the current UK governing law on data protection and regulates the use of “personal data”. The DPA was amended in 2003 to give individuals more control over digital marketing, enabling an opt-in system to receive e-mails, SMS text messages, etc.
The DPA defines the word “data” as
“ Data means information which –
is being processed by means of equipment operating automatically in response to instructions given for that purpose,
is recorded with the intention that it should be processed by means of such equipment,
is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or
is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).”
The Act regulates the processing of personal data to living individuals who can be identified from the data, where the person can be identified from either:
the data alone
data combined with other data accessible by the data controller
Data controllers are entities such as companies, firms, sole traders, etc, who either independently or jointly with others decide how personal data will be used and what they are to be used for.
The DPA also includes expressions of opinion about that person and any intention the data controller or another individual may have regarding them.
The Information Commissioner’s Office ('ICO') which investigates data breaches in the UK has a guideline to determine what information is data in accordance wit