Leading up to May 2018 there was a lot of coverage of the incoming GDPR Data Protection (DP) legislation. Organisations of all sorts knew that something needed to be done but weren’t always sure what it was. Consequently, as a Data Protection company, we found ourselves very busy indeed.
The day after it became law though, our conversations with clients and potential clients changed significantly. There was a perception that the GDPR had passed and that nothing now needed to be done. The reality is that Data Protection is an on-going risk management exercise and there are more changes coming.
The UK started on the road to regulating Data Protection in the late 1960s. Some MPs, even at that early stage of digitisation understood that computers would give people the ability to store and process data in ways that had until that point been unimaginable. As it transpired, it was still unimaginable to most MPs and so early attempts to create legislation failed.
In 1970 Brian Walden MP, who later went on to become a venerated Broadcaster, failed to get his Private Members Bill, ‘The Right to Privacy’ passed by Parliament. With extraordinary prescience he stated in the debate that ‘Modern technology has conferred substantial benefits on us…. Nevertheless, we cannot turn away from the fact that modern technology can be and is misused.’ It did however spur the creation of a Committee on Data Protection and fourteen years later, eventually led to the passing of the Data Protection Act 1984.
Portions of the 1984 Act bear more than a passing familiarity with the GDPR and UK Data Protection Act 2018. The Data Protection Act 1998 was a progression of the 1984 Act and GDPR is another advance, hence the similarities. As there are strong similarities throughout, the bustle of activity last May could suggest that a lot of organisations hadn’t been paying quite the attention to Data Protection that perhaps they could have for the past 34 years.
At each periodic update, two major things change; the breadth of responsibility of the data controller and the penalties for failing to meet obligations both increase.
Organisations that had previously ignored the Data Protection Act 1998 faced several challenges when they tried to adhere to the GDPR. Firstly, senior management needed to understand that Data Protection is not a tick box exercise. It’s not yes/no and there is currently no certificate of compliance available (although this is now being explored by the Information Commissioners Office). Whilst there are processes and documentation to maintain it is primarily a principles-based piece of legislation. There are seven principles, which are:
Lawfulness, fairness and transparency
The law describes illegal and inappropriate activities. One clear example would be secretly selling personal data to a third party. Any personal data processed should be done so with the interests or fundamental rights and freedoms of the data subject at its heart. The processing should be transparent; the data subject should know what is happening to their information.
This first principle neatly highlights why DP isn’t a box ticking exercise. It requires that organisations understand what information they process and how in order to determine whether it is lawful and fair. This can have an impact on operational processes.
When information is collected about a data subject, they need to be told what purpose their data will be used for. It can then only be used for that purpose.
Staff training and change management is important here. It is common for pools of data to be repurposed without oversight.
Organisations should only collect the data they require for the purpose of processing. This backs up purpose limitation.
The information stored must be accurate.
Personal data should be deleted when it is no longer required for the specific purpose.
Computer systems have proved to be a bottle neck here, but newer software is introducing features to help manage this.
Integrity and Confidentiality
Personal data must be kept safe.
This is the part of the regulation that deals with the security around data protection. These things are often confused. Data Protection concerns how data is processed. Security is about the appropriate controls around confidentiality, process and IT systems.
Organisations need to take responsibility for what they do with personal data. Governance, risk and communication is very important here. The regulation states that as a part of this principle it must be possible to demonstrate compliance. In this context though, compliance is currently an aspiration given that no measurable standard exists.
Of the organisations we have seen and helped make the most progress with their overall Data Protection position were the ones that were happy to approach it methodologically. Responsibilities were assigned, gaps identified, changes priorities by perceived risk and management involvement obtained. The advantage with this risk-based approach is that progress was made without diverting significant resources away from the organsation’s stated aims. They will also be much better placed to cope with future changes and will be less concerned when the first fines issued under the GDPR hit news desks in June or July.
Looking further ahead and demonstrating that Data Protection is not a one-off activity, the new ePrivacy Regulation is due for enactment in the next year or two. This will have a profound effect on the digital realm. Cookies, the internet of things and direct marketing are all explicitly covered. Like the GDPR, this is an iteration of the previous ePrivacy Directive from 2002 (enacted in the UK via the Privacy and Electronic Communications Regulations) that adds responsibilities and enhances penalties. It is also very much like Brian Walden’s 1969 Privacy Bill in that it is a reaction to emerging technologies and their potential to be invasive in our lives.
Need some assistance starting or refining your GDPR journey? Contact our team of experts today to get started. Call us: 020 3691 5731 / Email us: email@example.com / Fill in our contact form here…