28 May 2019

GDPR and the Data Protection Act, one year on. What have we learnt?

By Naomi Korn

Data protection one year on

Photo by Hunter Harritt on Unsplash

 

It’s one year since the General Data Protection Regulation (GDPR) was transposed into legislation across EEA member countries and in the UK as the Data Protection Act 2018. But data protection laws are not new – it’s simply that their relevance in the digital age had diminished. GDPR is an important step in regulating the use and abuse of personal data, by building on existing privacy laws, increasing the accountability and transparency of those who process personal data, whilst also empowering those whose personal data they are processing. Together with the recently passed Copyright Directive [1] by the EU, this is an important step change in regulating the flow of both data and content to ensure that the appropriate balances are maintained between access and freedom on the one hand, and control and privacy on the other hand.

Since 25 May 2018, we have learnt a number of things:

  • The exemptions are important derogations to some of the obligations data controllers have within the data protection legislation. For example, “archiving in the public interest” enables the handling of information about living people contained within records and archival materials. The National Archives published guidance [2] in August 2018, six months after GDPR was transposed into UK law.
  • ICO (Information Commissioners Office) are naming and shaming those who are not complying with their responsibilities, no matter who they are, including details about the issues and fines levied. No one and no organisation is immune [3].
  • Privacy laws do not operate in isolation and only being compliant with them is not sufficient. There are other linked regulations and statutory obligations which require awareness and compliance, some of which are changing too. These include PECR (the Privacy and Electronic Communications Regulations) [4] which is due to be updated and replaced by a new e-Privacy Regulation.

Based upon working closely with our clients on their compliance obligations we also wanted to share some important GDPR reflections:

  1. Data protection compliance is an on-going process. It did not begin and end on the 25 May 2018.
  2. Staff need to be made aware of their responsibilities, reminded over time and new staff brought up to speed. GDPR compliance was never about training staff once and then moving on to something else.
  3. A crucial component of data protection compliance is recognising that the more that data is held, the greater the responsibility and the increase in risk. This means that data hygiene and robust cyber security policies go hand-in-hand with compliance. For example, passwords should be reviewed and updated, accounts logged out when vacating a desk etc.
  4. Data protection issues will affect all types of carriers of personal data – not just digital. This will include paper records, photographs, sound recordings, films etc. It’s unlikely one system can manage all GDPR issues but instead, a series of compliance interventions will be required.
  5. Good privacy management is a positive step for demonstrating trust and good practice. This is certainly good for business and building trusted relationships with third parties.
  6. Rights and privacy know-how nearly always means contract know-how too. Putting in place robust contracts with third parties and/or making sure you understand what you are signing is crucial for ensuring compliance.
  7. Not all data breaches need to be declared to the ICO, but it is vital that no matter what, you have sensible data breach policies in place to record any that happen. Breaches to be declared to the ICO include any loss or theft of personal data that could potentially cause harm or distress to the individual concerned.
  8. Subject Access Requests (SARs) are not the same as Freedom of Information (FOI) requests. Any organisation that is publicly funded and subject to FOIs must ensure that suitable procedures are in place to distinguish between the two. This should include an identity verification process for SARs to prevent personal data being provided to the wrong person and creating a data breach situation.
  9. Every organisation needs to understand that resource is required to maintain high levels of compliance, and work needs to continue to improve processes, develop suitable systems and build privacy compliance into the fabric of an organisation – “Privacy by Design”.
  10. Health checks and audits are essential to make sure that you have all the necessary policies, procedures in place, and to pick up on any gaps or omissions.

Naomi Korn Associates recently created a Data Protection, one year on training session. If you would like your staff to be kept up to date about changes to the laws through a practical and interactive session, please contact patrick@naomikorn.com. We can also assist through our Annual Support service and through one-off data protection consultancy.

(c) Naomi Korn Associates, 2019, Some Rights Reserved. The text of this blog is available for reuse under a Creative Commons Share Alike Licence. The image is available under a CC Zero Licence

[1] https://en.wikipedia.org/wiki/Directive_on_Copyright_in_the_Digital_Single_Market

[2] http://www.nationalarchives.gov.uk/about/news/new-guidelines-for-archiving-personal-data/

[3] https://ico.org.uk/action-weve-taken/

[4] https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr/