We’ve had the Data Protection Act in the UK for a very long time now. The law was passed in 1998, consolidating earlier laws including the previous Data Protection Act 1984 and Access to Personal Files Act 1987, and at the time marked a big step forward for such legislation. As time has passed, it has become clear that the DPA is a cluttered and unwieldy law, and in a lot of cases it ended up serving organisations as a barrier to hide behind rather than the consumers it was designed to protect. Recently it’s begun to feel out of date.
A lot has changed in the way data has been collected, processed and stored since 1998 – that much is an understatement. To give it some context, in 1998 less than 10% of UK households had an Internet connection. When the Act was given Royal Assent in July of 1998 Google didn’t even exist. Nor did Facebook, LinkedIn or any of the other great personal data collectors we have today. Big Data didn’t exist and the entire internet could easily fit on to a modern desktop hard drive.
Nowadays, it’s possible to build up a complete profile of a person, completely legitimately, by cross-referencing every aspect of their online activities. Add to this that your smartphone today allows Google, Facebook and any other app that hides it in their terms to listen to every word spoken by you, track your exact location every second of the day and cross reference, process and package all of this all of this activity to build up a very detailed picture of a person’s wants, desires and pain points.
Even the most seemingly benign data like tracking how much battery life an individual’s device has left is valuable. A battery life API was included in HTML5 with the aim of allowing websites to serve users with a low-power version if your battery is detected as being low, but security researchers discovered soon after its release that it was not only feasible to use this method to track user activity on the web, but that many websites were already using this information to cross-check the IP addresses of users who employed cookie-deleting adblocker software.
Virtually any piece of data collected from our numerous personal devices and internet activity can be used in some way to track or profile us, which makes that data extremely valuable to companies looking to target us with advertisements. In this era of inter-connectivity, where for many convenience is king when it comes to technology, it can be easy to lose track of what we’ve agreed for our data to be used for – no wonder, when you look at the complexity of many mainstream apps’ terms of service agreements. Every single EU citizen generates a vast amount of personally identifiable data on a daily basis, and that information in the wrong hands can easily be used to put individuals at risk.
That’s where the General Data Protection Regulation comes in. It aims to make it easier for EU citizens to manage and understand what data of theirs is held by organisations and brings up to date many aspects of cybersecurity regulation that have been in dire need of modernisation across the continent. But just how does it differ from the current Data Protection Act in the UK? And what changes will companies, inside and outside the EU, have to make to become compliant?
The Data Protection Act pertains only to those in the UK, whereas GDPR covers any organisation that holds or processes personal data of EU citizens – regardless of whether the company is based in the EU or not. As we’ve mentioned previously, this means that UK companies must comply, Brexit or no Brexit.
Data controllers and data processors working with data pertaining to EU citizens are both responsible for the data that they work with, and the GDPR allows for fines to fall on both if they are responsible for a breach.
If you market directly to prospects or customers, a positive opt-in will be required under GDPR. Under DPA, a negative opt-in was all that would be required (i.e. tick here if you do not wish to receive communications at the point of data entry). GDPR puts the onus on companies sending out marketing communications to secure positive opt-in to receive those communications from their audience, which must be in plain language and time-limited.
Personal Data Requests
These are free under GDPR, and data subjects will now have the explicit right to have that data rectified or erased should they wish. Under the DPA, organisations were permitted to charge a reasonable fee for data requests, and the rights for erasure or rectification were a matter of common law.
Organisations will be able to charge a reasonable fee under GDPR if requests become excessive or repetitive, but in the first instance this hands power to data subjects in terms of gaining access to their data. This fee must be proportionate to the cost of administration in order to fulfil the request.
Data breach reporting was mandatory under the DPA only if the breach was also covered by the Privacy and Electronic Communications Regulations 2011 – which cover any data security breach at telecoms providers or ISPs. Breach reporting is not mandatory in all cases as a matter of course under DPA, and is noted as an advisory step for organisations outside the scope of PECR.
By contrast, under GDPR breach reporting is mandatory if the data breach is likely to result in a risk to an individual’s rights and freedoms. If this is the case, notification must be communicated to the supervisory authority within 72 hours. High-risk cases also require the data controller to notify the data subject promptly.
The DPA carried fines of up to £500,000 for serious breaches of the legislation. And to date nobody has ever been fined more than £400,000: see TalkTalk, October 2016. If that sounds like a lot, then you’d better swallow your coffee before reading the following sentence…
Fines for breaches of GDPR have an upper limit of €20 million, or 4% of global turnover – whichever is higher – making the threat of serious financial difficulties for organisations which come under its scope very real indeed. For many businesses, a fine of this size for serious non-compliance could easily result in closure.
Fear not – there’s still time
The road to GDPR compliance shouldn’t be daunting. The legislation comes into full force for organisations in May 2018, meaning compliance can be achieved in the timescale provided.
Commissum are subject matter experts in GDPR and can help you make sure you are ready and compliant long before the regulation comes into force in 2018. Updating your data protection policies, processes and education of staff are important, so contact us now for guidance.