Background to the GDPR and the UK Data Protection Act 2018
Technological change means personal data is now so important and valuable to organisations that it’s been described as the “new oil”.
In May 2018, redesigned legislation protecting personal data came into force across the EU, including the UK. It created a whole new industry surrounding GDPR compliance, but for people who aren’t data protection professionals, the language used can be confusing and misleading.
This page provides some basic background explaining why legislation was needed and the implications for your organisation.
PERSONAL DATA – THE ‘NEW OIL’
Every organisation now relies on personal data for
People
Employees, customers, suppliers, partners
Payments
Online payments and payment details
Marketing
Direct marketing, social media, market research
Services
Finance, insurance, medical and health
Identity Verification
Online and offline account access
Profiling
Behavioural analysis, AI, individual profiling, targeting
Why legislation was needed
Personal data was considered “free”
Some organisations collected personal data indiscriminately and did what they liked with it
- Even if it was sensitive, private or unnecessary
- Without a specific purpose
- Without ever deleting it
- Without suitable protections
They abused it, treated it as their own, sold it and made it available to others without consent
They failed to protect it, allowed it to leak and made it easy for hackers to steal it
The previous legislation was 20 years old and hadn’t kept up with new technology or consumer trends.
THE GDPR AND DATA PROTECTION ACT 2018
The GDPR is EU wide, legally binding legislation
It gives control and ownership of personal data back to the Individual
Organisations “borrow” an individual’s personal data for specific purposes only and must define their legal basis for using it
Individuals can now (with certain restrictions):
- Access their data, ensure it is correct, modify it or have it deleted
- Receive it from the organisation in a portable format
The legislation creates potential for big fines and adverse publicity likely to cause considerable reputational damage
Organisations must also comply with other data protection regulations and guidelines:
- Sector specific (e.g. FCA / Caldicott / NHS DSPT)
- Information security (e.g. ISO 27001)
- International (CCPA / LGPD / POPIA etc.)
- Privacy and Electronic Communications Regulations (PECR)
What should organisations be doing?
They must have robust processes and procedures to protect personal data. They must minimise the data they store; use it only for the intended purpose and not keep it longer than necessary
Organisations must designate a Data Protection Officer if they:
- are a public body
- process data on a large scale
Certain organisations outside the EU must appoint an EU Representative if they process the personal data on European residents. Likewise, organisations outside the UK must appoint a UK Representative if they process personal data on UK residents