General Data Protection Regulation
Data Protection regulation is changing. Let CAS help you get ready for the change.
Any UK-based organisation which collects and stores personal information from customers, clients or service users must comply with the 1998 Data Protection Act (DPA). To maintain a level playing-field internationally, the European Data Directive of 1995 underpins the UK’s DPA.
After an extensive review of existing legislation across Europe, the European Union adopted a new General Data Protection Regulation (GDPR) in April 2016, which will come into effect in May 2018. This important update to Europe-wide laws covers the capture, control and consent to use of personal information for any company operating in Europe, even if they are headquartered elsewhere. Building on core principles already established by earlier legislation, the GDPR introduces new rights for consumers and new obligations for businesses.
Why regulations needed to change
Since the DPA’s introduction in the late 1990s, a massive technological revolution has taken place. The internet has completely transformed people’s lives, and the way that they share their personal data. Every day, people visit the web, using a range of devices for multiple purposes; and every day they fill in online registration forms, send emails, or post updates to social media.
This has caused an exponential growth in the amount of data both created and collected. Yet individuals are often unclear if they have opted-in for their data to be profiled, stored or even sold, and don’t always think clearly about privacy or data security. Meanwhile, organisations may be capturing and storing personal data that they do not actually need, running the risk that they fail to protect it adequately.
The new ocean of data certainly required a review of the directives and laws of 20 years ago to bring them in line with today’s realities. But the legal framework also needed to anticipate future needs, with the internet of things, smart meters, and multiple preference services all coming in to play.
The GDPR: what you need to know
The GDPR will apply in the UK from 25 May 2018, and the government has confirmed that the UK’s decision to leave the EU will not affect the GDPR coming into force.
For many organisations in the UK, the GDPR might be simply seen as an upgrade to previous legislation. However, for organisations which fail to protect data adequately, potential fines are up to 4% of worldwide turnover. Therefore data protection and cyber security more generally needs to be taken seriously across senior leadership in every organisation which collects personal information.
So what are the enhanced provisions of the GDPR? Some of the key elements are:
- Personal and sensitive personal data: the GDPR’s definition of personal data is upgraded to include online identifiers (e.g. an IP address) for data subjects – i.e. the individuals whose data it is. Sensitive personal data currently covers demographic data (e.g. age, ethnicity) but is extended in the GDPR to include biometric data. For most organisations, these enhanced definitions are likely to make little practical difference, though bear in mind that this applies both to automated personal data and manual filing systems.
- Data processing: under the GDPR, organisations must guarantee that data shall be processed lawfully, fairly and in a transparent manner, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Privacy by design: under Article 25 of the GDPR, data protection must be designed into business processes, and privacy settings must by default be set at a high level.
- Data Protection Impact Assessments: these have to be conducted when specific risks occur to the rights and freedoms of data subjects. Risk assessment and mitigation is required, and a prior approval of the data protection authorities for high risks. All organisations handling personal data will need a named Data Protection Officer to ensure compliance.
- Capturing consent and the ‘right to erasure’: the GDPR requires organisations to capture an individual’s consent to their data being processed. Consent under the GDPR requires some form of clear affirmative action; silence, pre-ticked boxes or inactivity does not constitute consent. As the consent must be verifiable, some form of record must be kept of how and when consent was given. And individuals have a right to withdraw consent at any time; their ‘right to erasure’ means that they can request deletion or removal of personal data from an organisation’s records.
This will certainly mean that many companies’ systems need to be upgraded. But for companies which manage and store data effectively, this new regime might be more of an opportunity to understand stakeholders’ needs better, rather than simply an increased cost of compliance.
For more information about the GDPR, you can visit the website of the Information Commissioner’s Office (ICO), the UK’s data protection authority. The ICO will be providing detailed guidelines on aspects of the GDPR over coming months.
CAS is a market leader in data protection
CAS is already fully compliant with the Data Protection Act 1998 and registered with the Information Commissioner’s Office (ICO), registration number Z1281061.
CAS is fully prepared for the changes required under the GDPR, which expands on the DPA and adds new areas of control. CAS identifies its clients as data ‘owners’ and itself as a data ‘controller’, according to the definitions outlined in the GDPR.
CAS also acts as a data ‘processor’, but this extends only to scanning documents and uploading scanned files to client-managed data banks on the secure and password protected CAS-Cloud. CAS guarantees that data shall be processed lawfully, fairly and in a transparent manner. We will only process information in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. The conditions for processing and legal basis for scanning are defined by the client’s own obligations around data retention, and are covered in the contracts which we sign with our clients.
Our document shredding and IT equipment disposal services are also entirely compliant with the GDPR, as our clients remain data ‘controllers’ under the GDPR definitions. Again, we will always make this clear in any contract which we sign with clients who use these services.