We want to help you to understand more about GDPR and Data Protection laws. As such we have pulled together some of the key questions that we are regularly asked.
We've also included a 'Hot Topics' section which focusses on answering your questions in relation to whatever is current impacting GDPR and Data Protection laws.
Is Data Protection impacted by Brexit?
In a word - yes! Before the end of 2020 there was much debate and speculation as to what would happen to the transfer of personally identifiable data from the European Economic Area (EEA).
The worst-case scenario was that from January 1st 2021 data being received from the EEA would grind to a halt until businesses had adopted to the restrictions and new measures imposed by the European Union (EU).
Fortunately, we have entered into a bridging period, until at least the end of April 2021, if not June whilst the UK government and EU parliament agree whether the UK’s own Data Protection Act is sufficient enough, providing adequate and relative safeguards as the EU’s General Data Protection act does.
What can I do to prepare?
There are a number of things that you should consider prior to the end of the transition period, such as (but not limited to):
Do I need an EU Representative?
If you offer goods or services to individuals in the EEA or are moniroting the behaviour of individuals in the EEA and you have no offices, branches or other establishments in the EEA you may need an EU representative after the transition period.
You will need to consider in which EU or EEA state your representative will be based and put in an appropriate written mandate for that representative to act on your behalf.
You do not need to appoint a representative if either:
Our EU Representative Blog provides more information on this.
Is there any more information that will help me and my business?
We've pulled together a useful factsheet that delves a little deeper into what this means to you as a business.
Click here to take a look.
What is GDPR?
GDPR stands for 'General Data Protection Regulation'. It applies to all EU countries and became enforceable on 25 May 2018. It's goal was to bring the current Data Protection regime up to date, allowing free movement of personal data around the EU as well as strengthening rights of individuals around the use of their personal data and increasing the fines dramatically for those who don't comply.
What is the DPA 2018?
The DPA 2018 sets out the framework for data protection law in the UK, updating and replacing the DPA 1998.
It sits alongside the GDPR, and tailors how the GDPR applies in the UK. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner's functions and powers.
Who are the ICO?
The ICO is the 'Information Commissioners Office'. Their role is to uphold information rights in the public interests, promoting openness by public bodies and data privacy for individuals.
The ICO are responsible for promoting good practice in handling personal data and giving advice and guidance on data protection, helping to resolve disputes and enforcing compliance, among other things.
What are my businesses responsibilities?
As you can appreciate, the GDPR and DPA 2018 cover a large number of obligations for businesses, but a good place to start is to consider how you are complying against the principles of GDPR.
These principles say (in a summarised form) that personal data shall be:
The GDPR goes on to say that 'The controller shall be responsible for, and be able to demonstate compliance with, paragraph 1 [all of the above] ('accountability').
Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
What are the benefits of getting Data Protection right?
The benefits of ensuring compliance span wider than you would think. You may just believe that compliance will just help with the protection of personal data and although this is a key factor, it goes much further than this.
Companies that comply with DP law, can find that there is also a positive impact on*:
*taken from research carried out by Capgemini in 2019.
What is a personal data breach?
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
So remember, it is more than just about losing personal data!
What should we do if we discover a breach has occurred?
Firstly it is important to understand how to recognise a breach.
If you believe a breach may have occurred there are some simple steps that you can follow that will get you on the right path:
How long do we have to report a breach?
If you have determined that the breach is notifiable to the ICO, you must report it no later than 72 hours after becoming aware of it. The best course is to report as soon as possible once you have enough information to be able to provide a report.
If you don't have all the information yet, report what you can within the timescales while you continue to investigate and follow up with supporting information as soon as it is available.
If you take longer than 72 hours, you must inform the ICO of the reasons for the delay. This could have an impact if the ICO decide to take action against your company.
How long do we have to inform an individual about a breach?
If you have determined that the breach is likely to result in a high enough risk to inform the concerned individuals, you must do this without undue delay. In other words, this should take place as soon as possible.
You may be obligated to inform the individual within the 72 hours you are required to inform the ICO within, however think about if this was your data and a breach occured, you'd want to know as soon as possible. That individual may also need to take action to avoid fraud (for example) by changing their bank details so don't delay in informing them.
What individual rights do people have?
There are 8 key rights that individuals have under GDPR. These rights also apply to you in day to day life, whether with your phone company, your broadband provider or a company you do online shopping with.
In a nutshell, they are as follows:
How long do we have to deal with a request?
All rights must be dealt with within 1 calendar month, however as each month is made up of different days, the ICO have recommended that 28 days from the day of receipt should be adopted.
It is possible to extend by 2 further months taking into account complexity and number of requests.
Can we charge a fee?
You cannot charge to deal with a right, however if it is considered to be 'manifestly unfounded' or 'excessive' (because of the repetitive nature) – you may charge a reasonable fee.
Any fee must consider the administrative costs of providing the information / communication.
Can the ICO fine us if we don't comply?
The ICO has the power to issue a monetary penalty for companies who do not comply with a number of factors of DP law.
How much could we be fined?
There are 2 tiers of penalty that can be used by the ICO to issue a fine.
These are as follows:
Which tier will be used will depend on the nature of the infringement.
What factors will the ICO take into consideration when determining how much to fine?
There are a number of 'aggrevating factors' that will be considered when the fine amount is being determined.
Some examples of these are as follow:
We have created a series of Frequently Asked Questions videos to help you understand more detail on some key topics of GDPR and Data Protection. Below is a taster of what is available on YouTube.
The full range of videos can be accessed by clicking here
SIGN UP TO OUR NEWSLETTER
If you would like us to keep in touch by email, with regards to events we are running and general data protection / information security news, you can subscribe to our quarterly newsletter. If you consent to us contacting you for this purpose, please enter your email below and tick the box to confirm you would like to receive these communications.
For information on how we process personal data you send to us, please see our Privacy Notice.