Posted on 12.8.19 by Christian Mancier
Last year, on 25th May 2018 the EU General Data Protection Regulation (GDPR) came into effect in the UK along with the Data Protection Act 2018.
The months prior to GDPR coming into force were very busy with businesses trying to get their organisations ready, but what has actually happened since the regulation came into effect?
So, let’s recap – what’s the purpose of GDPR?
The purpose of GDPR is to align data protection laws across Europe, giving individuals more rights and control of how their personal information is processed and by whom. This regulation applies to any organisation that controls or processes personal data.
The Information Commissioner’s Office (ICO) is responsible for enforcing GDPR in the UK and has the power to conduct criminal investigations and issue fines if necessary.
GDPR was needed because of the significant advances in technology as well as the way in which individuals and organisations communicate, use and share information has fundamentally changed. Making the previous data protection laws such as the Data Protection Act 1998 out of date. Just think back to 1998 when floppy disks with storage capacity measured in megabytes were the storage medium of choice, e-mail and the internet were, relatively speaking compared to 2019, in their infancy and social media was unheard of.
What are the legal basis for processing data?
Under GDPR you can only process personal data of individuals if you have a legitimate reason for doing so. These include processing personal data:
• For the entering into or performance of a contract
• For compliance with legal obligations
• To protect the data subject’s vital interests
• For carrying out public functions
• For the legitimate interests of the data controller – providing the data subject’s fundamental rights and freedoms do not override those interests
• Where the data subject has given clear informed consent to process their data
You should only rely on consent if there is no other legal basis for data processing. The consent needs to be given freely in a specific, informed and unambiguous way. As the data controller, you will have to be able to demonstrate how the content was obtained and inform people that they have the right to withdraw consent at any time.
What is special category data? How does it differ from normal data?
According to ICO special category data is personal information that GDPR says is more sensitive and therefore needs a higher degree of protection.
This relates to data that includes details about an individual’s:
• ethnic origin;
• political views or opinions;
• trade union membership;
• biometrics (where used for ID purposes);
• sexual life; or
• sexual orientation.
What are the legal basis for processing special category data?
You still need a lawful basis for processing this data in exactly the same way as for any other personal data. The difference is that additionally, you will also need to meet some additional criteria, which, amongst others, commonly include:
• Explicit consent from the data subject
• The relevant special category data is already in the public domain
• The processing is necessary:
• Under the law
• To protect the vital interests of the employee
• For establishing, exercising or defending legal claims
• For reasons of substantial public interest (including archiving)
• For historical, scientific, research or statistical purposes subject to appropriate safeguards
There are seven GDPR principles you should be aware of:
• Data must be processed fairly, lawfully and in a transparent manner
• Data must be collected for specified, explicit and legitimate purposes
• Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (this is also known as data minimisation)
• Data must be accurate and where necessary kept up to date
• Data needs to be kept in a form which permits the identification of data subject for no longer than necessary for the purposes for which personal data are processed (aka storage limitation)
• Data needs to be processed securely to ensure integrity and confidentiality
• Data controller is accountable and needs to be able to demonstrate
What’s the difference between a data controller and a data processor?
Data Controller: means the natural or legal person, public authority, agency or other bodies which, alone or jointly with others, determines the purposes and means of the processing of personal data. This will usually be the organisation that controls the relevant personal data.
Data Processor: means a natural or legal person, public authority, agency or other bodies that process personal data on behalf of the controller. This will usually be an organisation who receives data from a Data Controller for carrying out a specific task which that data on behalf of the data controller.
What are the main risks for non-compliance? How can this impact the business?
The new regulation is stricter around the processing and security of data. Fines have increased from £500,000 to €20m or 4% of global turnover – whichever is higher. Organisations now have to demonstrate compliance, have to be more accountable and are subject to audit by ICO.
What has happened since last year – fines/investigations?
There were around 14,000 data breach reports made between 25th May 2018 and the 1st May 2019, up from around 3,300 in the 12 months to the 1st April 2018.
British Airways suffered a post-GDPR data breach potentially disclosing around 244,000 payment card details of customers and the ICO has issued a notice of intention to issue a fine of £183.39m, equating to roughly 1.5% of BA’s annual global turnover.
Marriott Hotels have been issued with a notice of intention to issue a fine in the sum of £99m after hackers stole the details of 339 million guests
HMRC was ordered to delete millions voice recording due to an imbalance of power between HMRC and taxpayers, no explanation on how to opt-out of Voice ID system, no explanation of non-detrimental effects of opting out of the system and no Data Protection Impact Assessment in place.
Google has been fined €50 million by the French regulator, factors included continuous and highly intrusive violation that has affected a lot of people and compromised large sets of data.
However, the majority of enforcement action in the UK has been under the old 1998 DPA, for example, Facebook was fined £500,000 (the maximum fine under the old Data Protection Act 1998) for improperly sharing data on 87 million users with Cambridge Analytica.