On the 25th of May 2018, the world as we know it will end and there will be a new beginning… No the doomsday calendar hasn’t expired (again, when is the next scheduled end of the world?) but on this day we will all have greater data protection under the GDPR (General Data Protection Regulation).
This is the largest change in privacy legislation in 20 years!
The Information Commissioners Office (ICO) is the UK’s independent body responsible for upholding the publics information rights. Big corporations with endless resources are by passing the current Data Protection Act 1998, taking full advantage of various loop holes. The GDPR is piece of EU legislation that has been designed to closed many of those gaps, ensuring that all businesses large and small use your data safely and continue to have a level of responsibility where they pass your data on to a 3rd party.
Before we get into the meat of GDPR..
What is considered data?
Personal data is defined as any information relating to a person that can be used to directly or indirectly identify that person. For example, their full name, email address, purchases, financial history etc.
There is also special category high risk data which required explicit consent or reasons for being obtained and stored. This includes race/ethnic origin, health and medical data, sexual orientation and criminal convictions.
Now onto the main course!
It has been suggested that UK business does not need to worry about GDPR due to Brexit.
Regardless of Brexit, GDPR is coming. The UK are due to leave the EU in accordance with article 50 in March 2019, so we are guaranteed 10 months of GDPR, after this time GDPR will be replaced by the almost identical Data Protection Bill, which is currently going through parliament.
Not only does this legislation affect the UK after Brexit but it affects companies worldwide! This legislation affects all EU citizens. Therefore, if companies in the US, India, China, Russia or anywhere in the world wish to do business where they are collecting, storing or processing EU citizens data then they must agree to meet requirements of this legislation!
This is hugely significant because your data is worth a lot of money to businesses and criminals. Your data is allowing companies to know what you look at online, your interests and contact details and allowing them to target you with their products. Criminals are using your data to build a picture of you until they can steal your identity and hack your bank account. They gain this in many ways including hacking lax business security and even purchasing it!
This is where GDPR comes into its own.
Many businesses that are selling/passing data to 3rd parties are washing their hands of accountability for your data once the data has been passed on. GDPR means that the data controller (the organisation or legal persons that determines the purpose and means of how your data is processed) is responsible to ensure you data is being used for the agreed purposes even after they have passed on your data to a 3rd party/data processor. A data processor is any organisation or legal persons that processes data on behalf of the controller such as an accountant, marketing agency or payroll agency.
The data controller is responsible for ensuring that the data processer has taken reasonable steps to protect data and if the data processer passes that data on to another organisation or legal persons, the data controller again has responsibility to ensure that the data is secure and being processed as agreed with whom the data belongs to.
GDPR only applies to personal data able to identify a living person. This affects;
- completed forms
- cookies and website tracking
- paper documents
This legislation applies to all data subjects (an identified or identifiable person) so affects all;
- suppliers and contractors
The six principles of the GDPR
For organisations to ensure they are compliant they will be required to;
- process data lawfully, fairly and transparently
- only collect for explicit and lawful purposes
- data must be relevant and necessary for purpose
- keep data up to date and accurate
- keep data only if required and for no longer than necessary
- keep data secure
The role of the GDPR is to not make it more difficult to do business but to ensure that personal data is used responsibly and where companies are misusing data without due discretion the GDPR gives the ICO a very large stick.
Financial penalties for non-compliant organisations under current legislation is €600,000. Which is a very large stick already for small and medium size businesses! However, large organisations allow for these penalties in their budget as the profit outweighs the risk.
With the new legislation the ICO has much greater punch power.
There will be a two-tiered sanction structure. For the lesser incidents, max fines of €10 Million or 2% global turnover (whichever is greater) and for the most serious violations the ICO can fine a whopping €20 million or 4% of global turnover (whichever is greater).
This ensures that large organisations take note. In 2016 talktalk were fined a record at the time of £400,000, that would convert into a £59 million fine if the same breach had occurred under the new GDPR.
Fines are cumulative based on;
- lack of documentation and evidence of compliance
- inability to demonstrate an appropriate lawful basis for processing
- inadequate security, safeguards or processes in place
- failing to notify the ICO within 72 hours of a breach and (where necessary) Data Subjects of a breach
Undoubtedly this is great news for the population, giving us more control over our personal data and with whom it is shared but how does GDPR affect care providers?