On the 25th of May 2018, general data protection regulation came into effect. But what is this mysterious (GDPR) and why was there a bombardment of emails on the subject around this time?
Well, the answer is that the GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). The main provisions of this apply, like the GDPR, since 25 May 2018. GDPR (from the ICO guidelines) aims to focus on lawfulness, transparency and fairness. Consent is a huge part of this as the ICO instructs “Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.”
The regulation aims to make people aware of their purpose for processing personal data from the outset and also minimise data and storage, therefore increasing accuracy. A person is accountable for their personal data and must work within the confines of GDPR when handling another person’s personal data.
Now is the best time to familiarise yourself with data protection and understand what you are signing yourself up to when agreeing to different terms and conditions that you may have in the past just scrolled past. The truth is GDPR affects everyone from the average consumer to the small or large business owner.
So in other words both the ‘controllers’ and ‘processors’ as instructed by the ICO. GDPR revolves around both personal data and sensitive personal data and that they are processed by the method of ‘appropriate technical and organisational measures’.
This is the security principle that has been enforced with GDPR. In brief, when considering personal data the following questions should be asked:
- Is the personal data automated?
- Can the person be either directly or indirectly identified by the information provided?
- Is the data sensitive? For example, a criminal conviction or offence would be considered sensitive personal data and should only be processed in limited circumstances.
- Does GDPR relate to you? Are you a sole trader, employee or a company director? Then GDPR relates to you. It does not, however, relate to public authorities for example. The ICO website provides more detail on this.
You might be asking yourself “But won’t Brexit have an effect on this regulation??” and the answer is that for the time being we are still a member of the EU and consequently, will be obligated to comply with the regulations set out for GDPR. GDPR is also required of organisations’ outside the EU that offer goods or services to anyone within the EU.
GDPR was a much-needed boost to data protection in the digital age growing extensively throughout the past 20 years. The key changes as laid out by the ICO are the following:
- There is no principle for individuals’ rights. This is now dealt with separately in Chapter III of the GDPR;
- There is no principle for international transfers of personal data. This is now dealt with separately in Chapter V of the GDPR; and
- There is a new accountability principle. This specifically requires you to take responsibility for complying with the principles and to have appropriate processes and records in place to demonstrate that you comply.
More information may be found at the ICO website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/
Example’s of misuse of data
GDPR encourages security measures to protect individuals from serious and even less serious kinds of harm such as embarrassment or inconvenience.
Some examples of the harm caused by the loss or abuse of personal data include:
- identity fraud;
- fake credit card transactions;
- targeting of individuals by fraudsters, potentially made more convincing by compromised personal data;
- witnesses put at risk of physical harm or intimidation;
- offenders at risk from vigilantes;
- exposure of the addresses of service personnel, police and prison officers, and those at risk of domestic violence;
- fake applications for tax credits; and
- mortgage fraud.
Different measures are required depending on your individual situation but it is apparent that we all need to be more observant of our own personal data and how we manage others. The guidelines set out are simple and easy to follow and are ultimately beneficial for you or your business and what the future may hold with regards to data protection.