Data protection is something everyone seems to be talking about at the moment, due to the launch of General Data Protection Regulation (GDPR) that is happening in May.
Currently, the country is relying on the Data Protection Act 1998 to protect UK citizens’ data but due to the constant changes in technology, this has now become outdated.
GDPR came into force on 24 May 2016 but businesses and organisations have until 25 May 2018 until the law is applied to them.
The change in the law will be introduced to crack down on security breaches. Fines will be tougher and people will have more of a say on what companies can do with their personal data.
Another reason for the introduction of GDPR was to give businesses in the EU a simple and clear legal environment that will ensure data protection is identical across the market.
‘Controllers’ and ‘processors’ of data will need to be fully aware of the laws and regulations of GDPR. Even if the controllers and processors are based outside of the EU, they will still need to abide by the law if the data belongs to an EU citizen. If processors are involved in a data breach, they are more liable under GDPR than they ever were under the Data Protection Act 1998.
Consent must be given from the data subject actively and affirmatively. Currently, passive acceptance under pre-ticked boxes or opt-outs is allowed but this will become unlawful.
Individuals will now have the right to demand that their data is removed permanently from a database if it’s no longer relevant or necessarily needed for the original purpose for which it was collected. This is known as ‘right to be forgotten’. The rule also allows them to demand that their data is deleted if they’ve withdrawn their consent for their data to be collected.
The new regulations are about protecting the confidentiality, integrity and availability of personal data. All firms should have company policies for their employees to follow and appropriate records held. Should a breach occur, the company must be able to show accountability.
As a firm, if you have not already done so, now is the time to think about your current practices, processes, policies and culture to see what changes you will need to make to meet the accountability principle.