Background to the GDPR and the UK Data Protection Act 2018

Technological change means personal data is now so important and valuable to organisations that it’s been described as the “new oil”.

In May 2018, redesigned legislation protecting personal data came into force across the EU, including the UK. It’s creating a whole new industry surrounding GDPR compliance, but for people who aren’t data protection professionals, the language used can be confusing and misleading.

This page provides some basic background explaining why legislation was needed and the implications for your organisation.

PERSONAL DATA – THE ‘NEW OIL’

Every organisation now relies on personal data for

icon

People

Employees, customers, suppliers, partners
icon

Payments

Online payments and payment details
icon

Marketing

Direct marketing, social media, market research
heart

Services

Finance, insurance, medical and health
icon

Identity Verification

Online and offline account access
account settings

Profiling

Behavioural analysis, AI, individual profiling, targeting
General Data Protection Regulation

Why legislation was needed

tick
Personal data was considered “free”
tick
Some organisations collected personal data indiscriminately and did what they liked with it

  • Even if it was sensitive, private or unnecessary
  • Without a specific purpose
  • Without ever deleting it
  • Without suitable protections

tick
They abused it, treated it as their own, sold it and made it available to others without consent
tick
They failed to protect it, allowed it to leak and made it easy for hackers to steal it

The previous legislation was 20 years old and hadn’t kept up with new technology or consumer trends.

THE GDPR AND DATA PROTECTION ACT 2018

The GDPR is new, EU wide, legally binding legislation

tick
It was enacted into UK law as the Data Protection Act 2018, so will be unaffected by Brexit
tick
It gives control and ownership of personal data back to the Individual
tick
Organisations “borrow” an individual’s personal data for specific purposes only and must define their legal basis for using it
tick
Individuals can now (with certain restrictions):

  • Access their data, ensure it is correct, modify it or have it deleted
  • Receive it from the organisation in a portable format

tick
The legislation creates potential for big fines and adverse publicity likely to cause considerable reputational damage
tick
Organisations must also comply with other data protection regulations and guidelines:

  • Sector specific (e.g. FCA / Caldicott / NHS DSPT)
  • Information security (e.g. ISO 27001)
  • International (Privacy Shield etc.)
  • Privacy and Electronic Communications Regulations (PECR)

What should organisations be doing?

DPO_Factsheet_Icons32
They must have robust processes and procedures to protect personal data. They must minimise the data they store; use it only for the intended purpose and not keep it longer than necessary
DPO_Factsheet_Icons33
Organisations must designate a Data Protection Officer if they:

  • are a public body
  • process data on a large scale

DPO_Factsheet_Icons34
Certain organisations outside the EU must appoint an EU Representative if they process the personal data on European resident

Click one of the options below to speak to us about our Data Protection Services

 

Email Call Contact Form