Background to the GDPR and the UK Data Protection Act 2018

Technological change means personal data is now so important and valuable to organisations that it’s been described as the “new oil”.

In May 2018, redesigned legislation protecting personal data came into force across the EU, including the UK. It’s creating a whole new industry surrounding GDPR compliance, but for people who aren’t data protection professionals, the language used can be confusing and misleading.

This page provides some basic background explaining why legislation was needed and the implications for your organisation.

PERSONAL DATA – THE ‘NEW OIL’

Every organisation now relies on personal data for

DPO_Factsheet_Icons27

People

Employees, customers, suppliers, partners
DPO_Factsheet_Icons29

Payments

Online payments and payment details
DPO_Factsheet_Icons28

Marketing

Direct marketing, social media, market research
DPO_Factsheet_Icons9

Services

Finance, insurance, medical and health
DPO_Factsheet_Icons30

Identity Verification

Online and offline account access
DPO_Factsheet_Icons31

Profiling

Behavioural analysis, AI, individual profiling, targeting

Why legislation was needed

ok2
Personal data was considered “free”
ok2
Some organisations collected personal data indiscriminately and did what they liked with it

  • Even if it was sensitive, private or unnecessary
  • Without a specific purpose
  • Without ever deleting it
  • Without suitable protections

ok2
They abused it, treated it as their own, sold it and made it available to others without consent
ok2
They failed to protect it, allowed it to leak and made it easy for hackers to steal it

The previous legislation was 20 years old, and hadn’t kept up with new technology or consumer trends.

THE GDPR AND DATA PROTECTION ACT 2018

The GDPR is new, EU wide, legally binding legislation

ok2
It was enacted into UK law as the Data Protection Act 2018, so will be unaffected by Brexit
ok2
It gives control and ownership of personal data back to the Individual
ok2
Organisations “borrow” an individual’s personal data for specific purposes only and must define their legal basis for using it
ok2
Individuals can now (with certain restrictions):

  • Access their data, ensure it is correct, modify it or have it deleted
  • Receive it from the organisation in a portable format

ok2
The legislation creates potential for big fines and adverse publicity likely to cause considerable reputational damage
ok2
Organisations must also comply with other data protection regulations and guidelines:

  • Sector specific (e.g. FCA / Caldicott / NHS DSPT)
  • Information security (e.g. ISO 27001)
  • International (Privacy Shield etc.)
  • Privacy and Electronic Communications Regulations (PECR)

What should organisations be doing?

DPO_Factsheet_Icons32
They must have robust processes and procedures to protect personal data. They must minimise the data they store; use it only for the intended purpose and not keep it longer than necessary
DPO_Factsheet_Icons33
Organisations must designate a Data Protection Officer if they:

  • are a public body
  • process data on a large scale

DPO_Factsheet_Icons34
Certain organisations outside the EU must appoint an EU Representative if they process the personal data on European resident

All organisations must be TRANSPARENT in the way they process personal data and ACCOUNTABLE for doing so

If you would like to speak to us about any of our Data Protection consultancy services

 

Contact Us