This article outlines the new data protection rules that come in to force from 25th May 2018.
It will also address Avar’s action plan in dealing with this.
Furthermore, we have this opportunity to review all our Databases, Standard System and Procedure (SSAP) and the modus operandi together with the entire aspect we conduct ourselves in Business.
Accordingly, a new “vision statement” called Privacy and Protocol Polices (PPP) has been devised and is being implemented.
What is GDPR and its History?
Many of the principles of the GDPR can be traced as far back as 1981.
Data Protection Act introduced 1984 in UK.
The first EU Data Protection Directive was in 1995.
The update in the UK was Data Protection Act 1998.
Now the new General Data Protection Regulation EU 2016/679 was introduced by the EU in April 2016.
These regulations relating to Data Protection are not, therefore, new.
However, this has been the most significant upgrade to data protection in 20 years.
It applies to all organisations that process personal (Individual) data.
There are generally two types of data:
B2B (Business to Business).
B2C (Business to Consumer (i.e. personal individuals – not organisations))
It is designed to ensure all member states approach to data protection laws are unified and applied identically.
Protects EU citizens from organisations using their personal data irresponsibly.
Puts them in charge of what information is shared, where and how it's shared.
The main purpose is to have responsible and transparent policies for handling such data, which is exactly that which we have had since October 1984.
What is Personal Data?
Although the definition of personal data has changed little in the last three decades, even experts can still get it wrong. Put simply, personal data is “any information relating to an identified or identifiable natural person (‘data subject’)”.
The scope for identifying a natural person has increased subtly but importantly under the GDPR, which now includes “online identifier” - which includes IP Address.
There are two really important, but common mistakes that catch people out. First, many assume that email addresses such as [email protected] or an office DDI number are not personal data because they belong to a business and are not “personal”. This is incorrect - anything that allows a natural person to be identified (think privacy rather than ownership) is personal data. An example which isn’t personal would be something like [email protected]
The second common mistake relates to information in the public domain, such as that found in directories or on social media. Nowhere in the DPA or GDPR does it define personal data according to where it came from. If you glean information from someone’s publicly available online profile, then that information still remains firmly within the scope of the GDPR.
Data Protection isn’t simply how you look after data in transit or at rest - it’s the entire lifecycle of how you collect, use and eventually destroy that data - something called ‘processing’.
The ultimate control needs to be exercised to give individuals the right to opt in or out to receive communication, and consent for their personal data to be held on databases. Avar have been working on protocols to allow this to happen for all aspects of business, which is why we haven’t followed the crowd and been quick to send meaningless opt in emails only, like most companies and organisation have done. Everyone will be the opportunity to “opt in” in due course.
Who is Overseeing GDPR?
The ICO (Information Commissioner’s Office) are responsible for overseeing the enforcement of GDPR.
They have always overseen the “Governance”.
They are an executive non-departmental public body.
They are also responsible for imposing and collecting fines.
Incidentally, they are also primarily funded by charging and collecting penalties!
Penalties for Non-Compliance and Data Breaches
There are heavy fines for Non-compliance.
The old fines were £500k (maximum).
New Maximum Fines are the greater of 4% of turnover or EUR20M.
The maximum fine possible for the most serious infringements, such as not having obtained customer consent to process data. However, the fines are tiered based on the level of severity of the data breach.
In 2016, Telecoms company, Talk Talk, were fined a record £400K by the ICO for security failings that allowed a cyber attacker to access customer data “with ease.
This fine would be the equivalent of £59M under the new regulations.
When does GDPR apply?
Enforced from 25 May 2018, although the ICO are not expecting all organisations to have all policies and procedures in place by then.
They expect every organisation to have made a start and have a plan to be GDPR compliant.
The UK will be bound by these regulations even after Brexit as it will still apply to all businesses handling EU resident’s personal data.
A Data Protection bill will enforce the GDPR in the UK and will replace the Data Protection Act 1998.
It does mean implementation on that date.
Those responsible have to demonstrate that polices have been organised for its eventual implementation.
GDPR in Practice
Avar have been registered with ICO from 2007 as a limited company and prior to that as a partnership, since its inception - reference: Z9998105.
This is in accordance with the requirement from ICAEW.
We at Avar have always had responsible, transparent policies towards managing such data since 1984.
We have gone some way into storing individuals and client’s data securely as good business practice.
It is merely the re-organisation, restructuring and our management of it.
From Avar’s perspective, no information is retained for marketing and purely for client management only.
This has now been totally formalised and structured.
Through the use of the online portal, files are already kept securely without the need for further encryption.
In addition, we will be reviewing contracts with clients, suppliers and employees to ensure compliance with GDPR.
Under these regulations, we are required to obtain consent for all contacts information held on our databases.
A demonstration of the approach is given in “Demo”.
A framework has already been done and it merely needs populating.