I want to leave the dizzying world of the GDPR to one side for a short while – so no Articles or Regulations for a bit. I want to talk about a very real but often overlooked threat to a whole gamut of information protection issues – people.
When we consider the arena of information protection it is all too easy to get drawn into the world of IT systems and cyber-crime. Even if we are broader in our approach and consider printed and other forms of information we often only consider the threats from hacking or data corruption, or maybe systems failing and data being lost – maybe extending the risk as far as a fire destroying records etc.
On the 5th of April, the ICO fined 11 charities a total of £126,000 for breaking current data protection legislation. Some were fined because they ‘screened’ the subjects to target them for additional funds, some had pieced together data from different sources including lapsed donors and then traded this information with other organisations. After May 25th 2018 this fine might be £180 million!
This Bite is about the role and requirements of a DPO – that’s a Data Protection Officer. The role and duties of a data protection officer are varied – it is an interesting and challenging job. Within the scope of Article 39 of the GDPR, the tasks include:
- To inform and advise the organisation of their duties and responsibilities under the GDPR
- To monitor compliance with the organisation’s own policies and other regulations (including the GDPR) that may be govern the organisations data activities
- Provide advice and guidance on data impact assessments and monitor their performance
- Act as the organisation’s contact point and liaise with the regulator (ICO)
- Always be aware of and advise upon the risks of processing personal data, taking into account the nature, scope, context and purposes of processing
In this Bite, I’m going to talk a bit about security of personal data and how the GDPR defines security. The requirements fall under Article 32 of the regulation. This is one of the areas of the regulation where decisions need to be made based upon the sensitivity of the data, the nature of the processing, the likelihood of a data breach and the impact on the data subject. These factors are then combined with the availability of technical solutions and the cost of implementation. The key phrase in this article is “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
Whenever you read or hear information about the GDPR, you will most likely come across the terms Privacy by Design, and Privacy by Default. They are set out in article 25 of the regulation and they are a way of ensuring data protection becomes a consideration of future systems and procedures and that the protection that is inherent in new software or methodologies is proportionate and workable whilst offering the data subject (the person about whom the data is held) the best level of protection. These protections include controlling access to the data and deletion of the data once it is no longer required.
Many business owners are assuming that because the UK has voted to leave the European Union – especially since article 50 was triggered making this formal – that the GDPR will no longer need to be implemented.
This is not the case. The ICO have indicated that business will be required to comply by 25th May 2018 along with the rest of Europe. Additionally, it is foreseen that during the enactment of the Great Repeal Bill when the UK officially leaves the EU in May 2019, all the current statutes of the Union will be absorbed into UK law – the GDPR included. There is also the matter of trade with Europe. It will be a condition of doing business that involves personal data of an EU citizen that the GDPR is complied with. Remember, even when we are out of the EU and even if we drop the GDPR there will be many EU citizens living in the UK. Therefore, it is so unlikely to be dropped so we may as well get on with it.
To comply with the GDPR articles 5 and 6 you need to have a ‘legal basis’ for the collection, storage and processing of personal data. There are some fundamental ways to demonstrate a legal basis for the collection and processing of such data;
- You have explicitly gained the consent of the data subject to hold and process their personal information. This consent must be actively given – it is not sufficient to notify them and allow them to proceed without actively ticking a box or in some other way acknowledging the request. When obtaining consent, the purpose for which the data is being collected and the way it will be processed must be explained in clear and simple terms. You must be able to provide evidence of this consent.
The GDPR is designed to allow individuals to more effectively control their personal data. These updated regulations will also allow businesses to make the most of the opportunities of digital markets by improving public trust and harmonising data protection standards across Europe. The regulation will come into force on 25th May 2018.
What is the GDPR? In simple terms, it: