Data Protection Flashcards
What legislation covers data protection?
The principal law regulating the use of personal data is in the form of the EU’s General Data Protection Regulation (GDPR) which has direct effect across all EU member states. In the UK, the Data Protection Act 2018 (DPA) covers processing that does not fall within EU law, for example relating to immigration and national security. Both the GDPR and DPA became effective on 25 May 2018 representing the biggest change to UK data protection law for a generation, introduced out of the need to give individuals more control over how their personal data is used in an ever emerging digital economy and to standardise the law across the EU.
What data does your company have?
During the course of our business activities we collect, process and store personal data. This includes details of current, past and prospective employees, clients, suppliers and others that we communicate with. This information which may be held on paper, computer or other media is subject to a number of items of legislation relating to personal data.
What is personal data
In order to understand our obligations relating to data protection, we need to understand what constitutes personal data. ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (Source: Article 4 GDPR)
Who ensures compliance?
nominated Data Protection Officer (DPO) is CP
The DPO is supported by a core team who provide assistance with a number of different areas relating to the protection of information and who can help with queries.
Don’t forget - it is everyone’s responsibility to protect our client and employee data. You will be required to complete eLearning modules on Protecting Data and Information Security to demonstrate your understanding of these topics.
What are the penalties for non-compliance?
The Information Commissioner’s Office (ICO) is able to impose fines of up to €20,000,000 or 4% of global turnover for certain infringements in relation to data protection law, with less serious infringements attracting fines of up €10,000,000 or 2% of global turnover.
Even if a company is based outside of the EU, it can be fined for any data breach involving the details of EU citizens. Hotel company Marriott International was fined £99m for a security breach in November 2018 which resulted in more than 339 million guest records being exposed to hackers, of 30 million were of EU citizens. The ICO issued the fine the same week that it levied a £183m fine against British Airways for exposing payment details and personal information of 500,000 customers.
While our firm is not a large international company, it must protect the data it holds in the same way that these global giants are expected to or risk fines of up to 4% of our turnover - more than £1m based on our revenue in 2019. Think how much effort our employees put in to make £1m in client fees!
10 tips to comply with GDPR
Prepare diligently to ensure compliance
Assess any privacy risks inherent in business processes/activities
Involve IT support to make appropriate changes
Provide staff training and support on data security
Appoint a Data Protection Officer if required by GDPR
Ensure you have adequate systems to deal with a breach and subsequent notification to the ICO (within 72 hours)
Do your systems comply with all GDPR principles, including the right to be forgotten
Update your internet security, e.g. virus protection, including on desktops, laptops and mobile phones
Ensure any data already held is up to date and compliant with GDPR
Can you release personal data promptly if a subject access request is made?
How do DPA and GDPR differ?
Accountability to ensure that data is kept in accordance with the principles of GDPR
Tougher penalties for non-compliance
Wider definition of personal data
Non-EU organisations holding EU-related personal data will need to comply
Parental consent required for holding personal data of <16s
Active consent must be required to hold data, i.e. silence does not equal consent
Data breaches must be notified to ICO within 72 hours of awareness, unless exceptional circumstances apply
Risk-based reviews (Privacy Impact Assessments) must be undertaken for high risk activities
Right to be forgotten introduced
Requirements for electronic data portability if a data request is submitted
Compliance/privacy by design must be included within systems and processes, including staff training and contractual clauses
Additional liabilities placed on both data controllers and processors
GDPR KEY PRINCIPLES
Processed lawfully, fairly and in a transparent manner in relation to individuals
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
What are the individuals rights in GDPR?
Right to be informed Right of access Right to rectification Right to erasure Right to restrict processing Right to data portability Right to object Rights in relation to automated decision making and profiling