Data Protection and GDPR
Background
In 2016 the EU reformed their data protection legislation creating the General Data Protection Regulation (GDPR). The date for compliance to this new regulation was 25 May 2018 and businesses need to ensure they comply. In the United Kingdom the Data Protection Act (DPA) was revised in 2018 to implement GDPR in the UK. The ICO and UK government have confirmed that the requirements will continue to apply regardless of Brexit.
The GDPR and DPA apply to anyone controlling or processing personal information. Recent high profile data breaches have shown how quickly customer trust in an organisation can be eroded. Can you afford to risk the reputation of your business?
Data Protection legislation is not new. In the UK, the 1998 Data Protection Act (itself based on a 1995 EU Directive) was hopelessly out of date and informal. So – in 2016, the UK Supervisory Authority (Information Commissioner’s Office) led the way in drafting the EU General Data Protection Regulation – now most commonly known as GDPR. Across the EU, GDPR came into force on 25th May 2018. As with other countries, UK brought in its own Data Protection Act 2018 at the same time. So, from now on, we have UK data protection legislation, including UK GDPR – and this will stay in place now Brexit has taken place. Some aspects may be amended by our status in Europe, but the main concepts and requirements will remain regardless.
Data Protection/GDPR – What is required for compliance?
This legislation applies across the UK to all organisations regardless of size or sector. All organisations (private and public sector) process “personal data” as defined in the laws. Failure to comply can be very expensive. The fines are not assessed on the size of your business, but on the impact of the breach on the person concerned. This does mean that your business could potentially attract a fine in the hundreds of thousands or millions – could your business survive this?
How do I do the right thing for my business?
Our consultants can provide advice on this, help you draft the requisite documentation (see below) and provide continued advice and guidance moving forward. Every business is bespoke when it comes to data protection, so it’s worth a call!
With the help of our specialist consultants, you can assess what data you hold and how you process it. From this we can produce:
1 – Data Audit - a requirement of the legislation, this demonstrates that you take data security and processing very seriously and you have applied the now-legal process of “privacy by design and by default”.
2 – Privacy Notice - this replaces any previous Privacy Policy documentation and should contain certain concepts as laid out by the Supervisory Authority -as they may apply to your business. It should be concise, and in plain language - no “legal speak”.
3 – “Short” Privacy Notices - these go on forms and email footers to demonstrate compliance.
4 – Pay the ICO fee - there are a few and very prescriptive exemptions – you are highly unlikely to be exempt
5 – Accountability Document - accountability has brought in more structure with the implementation of GDPR. Again, there are concepts the ICO expect to see, as and when they apply to your business.
6 – Training - if you have staff, then you are expected to make them aware of their rights under this legislation and how you are implementing compliance. This can be through policies and/or formal training.
All of the above can be straightforward with the guidance and assistance of our consultants. We have a practical approach to implementing compliance - without legal wording or high legal fees.
Why not take away all the uncertainty as to whether or not you comply and give us a call today…
Our consultants can provide advice on all aspects of data protection legislation and compliance to ensure your business has the right processes in place for handling how information is collected, processed, stored, maintained, protected and disposed of.
The rights of the individual are protected by a variety of legislation, and whether you trade in the UK, Europe, or globally you need to have effective policies and processes to protect any personal data that you process.
Please contact us to arrange a telephone or face to face appointment to discuss your data protection needs.
Outsourced Data Protection Officers
Where your business is unable to justify employing a full time Data Protection Officer (DPO) or you just don't have the skills in house, Spritzmonkey can provide a consultant to fulfil this role. We will be able to develop and implement your Data Protection Policy, provide guidance on processing all personal data, produce guidance and training material and deliver training to staff, and enable your organisation to process, coordinate and respond to all subject access requests in an appropriate manner.
ISO/IEC 27701 PIMS
ISO/IEC 27701 is an extension to ISO 27001 for Privacy Information Management (PIM) that provides guidance on the protection of privacy, including how organisations should manage personal information, and assists in demonstrating compliance with privacy regulations around the world.
If you are are already ISO 27001 certified or looking to implement ISO 27001, we can help add the requirements of ISO 27701 so that you can build trust in managing personal information in a transparent way between stakeholders. This is applicable to all organisations who are acting as personal data controllers and processors and will provide a framework for complying with the GDPR requirement for appropriate technical and organisational measures.
Note: This standard was previously known as ISO/IEC 27552 during the standards development process.
Get in touch
To discuss data protection, GDPR, or anything else please get in touch using the form below or the other contact details on our site.
Frequently Asked Questions (FAQ)
+ What is GDPR?
The General Data Protection Regulation (GDPR) is amongst the toughest privacy and security laws in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR levies harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of Euros.
+ What information does GDPR apply to?
The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
+ What is the Data Protection Act?
In the United Kingdom the Data Protection Act (DPA) was revised in 2018 to implement GDPR in the UK. The ICO and UK government have confirmed that the requirements will continue to apply regardless of Brexit.
+ What is the data protection fee?
In the UK, the Information Commissioners Office (ICO) charges a fee to all data controllers who are not exempt. This is used to fund their data protection work. The fee is charged annually.
+ How much are the data protection fees?
The fees range from £40 to £2,900. The fee depends on the size of your organisation, your turnover and, in some cases, the type of organisation you are. It’s structured like this out of fairness.
+ What are ‘controllers’ and ‘processors’?
Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data. If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes. Processors act on behalf of, and only on the instructions of, the relevant controller.
+ What does it mean if you are joint controllers?
Joint controllers must arrange between themselves who will take primary responsibility for complying with GDPR obligations, and in particular transparency obligations and individuals’ rights. They should make this information available to individuals. However, all joint controllers remain responsible for compliance with the controller obligations under the GDPR. Both supervisory authorities and individuals may take action against any controller regarding a breach of those obligations.
+ Do I need to appoint a data protection officer (DPO)?
Under the GDPR, you must appoint a DPO in certain circumstances.