Background to GDPR & The UK Data Protection Act 2018

Background to the GDPR and the UK Data Protection Act 2018

Technological change means personal data is now so important and valuable to organisations that it’s been described as the “new oil”.

In May 2018, redesigned legislation protecting personal data came into force across the EU, including the UK. It’s creating a whole new industry surrounding GDPR compliance, but for people who aren’t data protection professionals, the language used can be confusing and misleading.

This page provides some basic background explaining why legislation was needed and the implications for your organisation.

PERSONAL DATA – THE ‘NEW OIL’

Every organisation now relies on personal data for

People

Employees, customers, suppliers, partners

Payments

Online payments and payment details

Marketing

Direct marketing, social media, market research

Services

Finance, insurance, medical and health

Identity Verification

Online and offline account access

Profiling

Behavioural analysis, AI, individual profiling, targeting

Why legislation was needed

Personal data was considered “free”

Some organisations collected personal data indiscriminately and did what they liked with it

Even if it was sensitive, private or unnecessary
Without a specific purpose
Without ever deleting it
Without suitable protections

They abused it, treated it as their own, sold it and made it available to others without consent

They failed to protect it, allowed it to leak and made it easy for hackers to steal it

The previous legislation was 20 years old, and hadn’t kept up with new technology or consumer trends.

THE GDPR AND DATA PROTECTION ACT 2018

The GDPR is new, EU wide, legally binding legislation

It was enacted into UK law as the Data Protection Act 2018, so will be unaffected by Brexit

It gives control and ownership of personal data back to the Individual

Organisations “borrow” an individual’s personal data for specific purposes only and must define their legal basis for using it

Individuals can now (with certain restrictions):

Access their data, ensure it is correct, modify it or have it deleted
Receive it from the organisation in a portable format

The legislation creates potential for big fines and adverse publicity likely to cause considerable reputational damage

Organisations must also comply with other data protection regulations and guidelines:

Sector specific (e.g. FCA / Caldicott / NHS DSPT)
Information security (e.g. ISO 27001)
International (Privacy Shield etc.)
Privacy and Electronic Communications Regulations (PECR)

What should organisations be doing?

They must have robust processes and procedures to protect personal data. They must minimise the data they store; use it only for the intended purpose and not keep it longer than necessary

Organisations must designate a Data Protection Officer if they:

are a public body
process data on a large scale

Certain organisations outside the EU must appoint an EU Representative if they process the personal data on European resident

Click one of the options below to speak to us about our Data Protection Services

Email Call Contact Form