The future of Data Protection

Data protection is something everyone seems to be talking about at the moment, due to the launch of General Data Protection Regulation (GDPR) that is happening in May.

Currently, the country is relying on the Data Protection Act 1998 to protect UK citizens’ data but due to the constant changes in technology, this has now become outdated.

GDPR came into force on 24 May 2016 but businesses and organisations have until 25 May 2018 until the law is applied to them.

The change in the law will be introduced to crack down on security breaches. Fines will be tougher and people will have more of a say on what companies can do with their personal data.

Another reason for the introduction of GDPR was to give businesses in the EU a simple and clear legal environment that will ensure data protection is identical across the market.

‘Controllers’ and ‘processors’ of data will need to be fully aware of the laws and regulations of GDPR. Even if the controllers and processors are based outside of the EU, they will still need to abide by the law if the data belongs to an EU citizen. If processors are involved in a data breach, they are more liable under GDPR than they ever were under the Data Protection Act 1998.

Consent must be given from the data subject actively and affirmatively. Currently, passive acceptance under pre-ticked boxes or opt-outs is allowed but this will become unlawful.

Individuals will now have the right to demand that their data is removed permanently from a database if it’s no longer relevant or necessarily needed for the original purpose for which it was collected. This is known as ‘right to be forgotten’. The rule also allows them to demand that their data is deleted if they’ve withdrawn their consent for their data to be collected.

Consideration should be given but not limited to the following points:

1. Identify the legal basis you use for processing data and why has it been collected. The data must be used for only those reasons and not others which are of a similar purpose.
2. Consent must always be obtained from clients as well as employees for any data or records held.
3. There must be transparency with the consent, ie. who with and why the data is going to be shared (if it is).
4. Rights to lodge a complaint with the ICO.
5. The data obtained must be right for the purpose and sufficient but not excessive for the reasons why you are processing it.
6. There must be accuracy in obtaining the personal data and it must be up to date if processing it.
7. There is a right to rectification of the data held if for example it is incomplete or inaccurate.
8. For anyone 13 years or younger, you must obtain parental/guardian consent. The privacy notices in these circumstances must be written in language that can be understood by children with the appropriate safeguards.
9. Personal data should only be kept for a certain period of time that is necessary and not for any longer unless it is in the public interest i.e. for statistical or historical purposes.
10. The data must be kept securely and only accessed by those that should access it.

The new regulations are about protecting the confidentiality, integrity and availability of personal data.  All firms should have company policies for their employees to follow and appropriate records held. Should a breach occur, the company must be able to show accountability.

As a firm, if you have not already done so, now is the time to think about your current practices, processes, policies and culture to see what changes you will need to make to meet the accountability principle.