Why does the Data Protection Act (DPA) need to be replaced?
The DPA was implemented in the 1990’s when there was no social media or cloud computing. It does not reflect how we now live and do business; we need better ways to protect and use personal data. The good news is that many of the concepts and principles are much the same as those in the DPA, so if you are complying now then most of your approach remains valid.
Does BREXIT make a difference?
No, the UK Government have confirmed that GDPR will be implemented in May 2018. The Information Commissioner has said “There may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018”
What is meant by personal data?
The definition of personal data is much wider than under the DPA. It includes online identifiers, such as the id of your mobile phone while you browse the internet, along with HR, customer and supplier records. There is no distinction between personal data of a business contact and that of a client or customer, and it covers electronic and paper records with personal details.
What happens if I do nothing?
You could be fined. The GDPR says fines should be “effective, proportionate and dissuasive” and can be issued for a data breach or failure to show compliance. The fines can be up to €20m or 4% of global turnover (whichever is the higher) depending on the scale of the issue.
Is this really just an IT issue?
No, but having robust IT systems will be essential to being compliant. The GDPR references the need for “…appropriate technical and organisational measures be taken” 10 times. You need to have processes and procedures in place to deal with issues such as removing personal data when it is no longer required, or someone has asked for their data to be removed, and data protection requirements are always considered when updating a process or system that uses personal data.
What about “Consent” to contact someone?
This could be a big change for some businesses. You will generally need to have records that someone has given “unambiguous” consent for you to contact them. The use of “opt out” boxes to indicate consent is not permitted. For business contacts, marketing emails may be allowed without seeking permission provided the contact details be obtained during the course “a sale of a product or a service”.
What do I need to do?
First find out more about the GDPR principals so you can understand the impact it will have on your business. After this, you should do an audit of all your personal data and determine where you already meet the GDPR principals and where changes are required to processes, procedures and IT.
About the Author: Ian Grey is an Information and Cyber Security Consultant at Wadiff Consulting