GDPR: Privacy re-defined

New Heights forAccountabilityTransparencyContractsResponse

A brave new world of privacy

The Quick Version

The European Union's General Data Protection Regulation has a wide reach in terms of its international scope and the obligations it places upon those who wish to process the personal data of  people in the EU.

To all intents and purposes, the Data Protection Act is 'GDPR plus'. It enshrines the GDPR into UK law and ensures that, even after BREXIT, UK companies are required to treat personal data with the same level of care and transparency.

It also includes the UK's requirements in certain areas such as law enforcement, intelligence and defence and introduces two new criminal offences designed to enforce and protect the rights of UK data subjects into UK law.

There is no getting away from it. If you are a UK business or want to do business in the UK, you will need to comply with both the GDPR and the Data Protection Act 2018.

This is a good thing. Privacy is integral to the modern economy and the reality is most businesses at least want to do the right thing.
Image
0
of firms have experienced a significant, business altering data breach caused by a vendor.

Spiceworks survey on behalf of eSentire 2019

The main impacts

For those who have always made an effort to comply with data protection legislation, many of the changes introduced by the GDPR and Data Protection Act are fairly small. There are however, some areas where the requirements of the new legislation are substantial.

This is not intended to be another site where the wording of each article and recital is reproduced with dire warnings of catastrophic fines for each infringement - there are plenty of those around.

The ICO has some great guidance for business on their website if you want detailed information, but here is our summary some of the areas we think have seen the greatest impact and how that impacts on your business operationally.
It is no longer good enough to just comply and 'do no harm'. Organisations need to be able to prove they comply and demonstrate the systems and controls they have in place. This encapsulates everything from operational policies and procedures to having a clear reporting line responsible for data protection - including where appropriate having appointed a Data Protection Officer. Most importantly you need to be able to demonstrate that Privacy runs through your business culture and is a consideration when important business decisions are made e.g. by conducting a Data Protection Impact Assessment before the introduction of a new product or service.
Much of what you will have read and heard about the GDPR comes under this. Organisations have an obligation to provide clear information to individuals and the regulator about the way they use personal data. The ultimate data 'show & tell' and a cornerstone of trust, it covers everything from your privacy notices and being able to express the lawful basis on which you are using someone's personal data to being able to fulfil Data Subject Rights in a timely and comprehensive manner. Transparency relies heavily on your organisation understanding and accurately documenting the data it uses, why and how it aligns with both your commercial objectives and privacy obligations.
There are many aspects to this part of your organisation's obligations under the GDPR. Obviously any contracts with data subjects must be transparent about the use of their data and privacy information cannot be hidden away in terms and conditions. You must share personal data only with those organisations with whom you have a written agreement that complies with the requirements of the GDPR. Above all, ensure you have conducted and recorded sufficient due diligence on your business partners to satisfy yourself that the personal data you share with them is sufficiently protected - especially with respect to the likes of security and international transfers.
Take the time to ensure you understand your obligations and your readiness to respond to them. The natural assumption would be this refers to how you respond to and handle personal data breaches. The GDPR places new reporting obligations on organisations and requires you have suitable systems and controls to detect, investigate and assess the risk of personal data incidents in a timely, proactive manner. You also need to assess how your organisation's processes are set up to respond to a request to fulfil a Data Subject Right such as access to the information you hold. One aspect which is often forgotten is the requirement to engage with the ICO in response to a Data Protection Impact Assessment or consumer complaint.

Tell us how we can help

It's not all bad news

There are commercial benefits

This video produced by Lloyds Banking Group and featuring the Information Commissioner - Elizabeth Denham - highlights some of the commercial benefits to a Privacy Friendly approach to business and GDPR compliance.

Insights

News & Research