On the 14th April, after four years of argument and huge amounts of lobbying, the European Parliament passed the General Data Protection Regulation (GDPR). While this doesn’t change the basic principles of Data Protection it will have a major impact on compliance: how it is achieved and how it is enforced.
Our current data protection regime in the UK is based on the Data Protection Act (DPA), which was passed in 1998 and is the UK implementation of the European Union Data Protection Directive (1995). Of course, all of the Member States of the European Union created their own equivalent of the DPA interpreting the Directive in their own way. This is how European Union directives work – they are essentially guidelines for creating laws in each Member State. As the guidelines leave a lot of room for interpretation the different Data Protection laws impose broadly similar but significantly different requirements, creating barriers to cross border trade within the EU as businesses need to comply with the law in each Member State where they have customers. This is one of the main reasons for the introduction of the GDPR.
The GDPR is a ‘Regulation’. Unlike a Directive the Regulation as it is written applies directly as law across the EU. It does not need to be transposed into the law of each Member State. The way it has ended up there are still parts of it where it has been stated that certain things (e.g. penalties for public bodies) may be specified in Member State law. Without this small amount of flexibility it would have been impossible to get 28 Member States to agree!
So why should we be concerned?
Firstly, the potential penalties are enormous. Under the DPA the maximum penalty is £500,000. Under the GDPR the maximum penalty is €20 million or 4% of global turnover, whichever is the larger. To give those numbers some context, I estimate that, under the new regime, TalkTalk, after their data breach last year, could have been subject to a penalty of up to £90 million. This puts Data Protection penalties in the same league as competition law and financial misconduct, which will focus the mind wonderfully.
Secondly there is a lot to do in order to become compliant. The GDPR will not be enforced immediately, it will be in either May or June 2018. Two years may seem like a long time, but
For the moment, probably the best thing to do is to make sure that you are compliant with the DPA. It is also worth implementing best practice which can be found on the Information Commissioner’s website (ico.org.uk). I will also cover some of this in future blogs.
If you really don’t know where to start you should begin by auditing and mapping the data you currently hold. Until you know what data you have and what you do with it you cannot start to deal with compliance issues. For Data Protection compliance you only need to worry about personal data, but it will certainly be useful to also audit any other sensitive or valuable information.
Without going into too much detail for the moment, personal data is data which relates to a living person who can be identified from that data or by combining that data with other data which you already have or are likely to have. This is data which is stored or processed on a computer (including smartphones, tablets etc) or is in a reasonably structured filing system. So it includes paper based records.
Auditing and mapping your data is a fairly painful activity, but once it is done you are in a good position to progress with Data Protection compliance. You need to look at all the sets of data that are stored in your organisation and consider:
- where the data came from or how it was collected
- who is responsible for that data
- what security measures are in place to protect it
- why you actually hold the data
- who is able to access the data
- any transfers of the data to other locations or organisations
- how long you will keep the data
That should keep you busy for a little while. Come back soon for some further thoughts on DPA compliance, the GDPR and other related issues.
If you would like some support with DPA complince, GDPR preparation or training in either of these please get in touch. I’m always happy to talk.