Data privacy and protection FAQs
Here are answers to some common questions about data privacy, data protection and the GDPR
- Questions that most clients ask about data privacy
- Our favourite question is “Why should I bother?”
HOW DO I ENROL AND TAKE THE CPD ACCREDITED DATA PROTECTION OFFICER COURSE?
How to enrol and get started in three easy steps
1 – Start dates
- There are no fixed course start dates or times
- You start when you choose
2 – Register
- Click here to register on our training platform
- After you enter your details you will be sent an email that you must confirm
- If you do not see the email in your inbox, check your spam
- The email title is “EBC Business Courses: account confirmation”
- The email is from “EBC Business Courses”
- Open the email and follow the instructions in the email
- Click the “Continue” button after you click the link in the email
3 – Pay and start
- Click here to open the “Data Protection Officer Comprehensive Training” course
- Scroll down and click “Buy Now” (example below)
- Follow the “Stripe” instructions
- Start your course
WHAT IS THE GENERAL DATA PROTECTION REGULATION (GDPR)?
THE GDPR IS THE EUROPEAN UNION’S DATA PROTECTION REGULATION
The GDPR is a data protection regulation that protects fundamental rights and freedoms of natural persons and is focused on their right to the protection of personal data.
It should be considered a value-adding product that demonstrates your company’s respect for personal data. GDPR presents significant competitive advantage opportunities. It shows customers that your organisation respects their right to privacy and that their data is safe in your hands.
The implementation deadline was Friday the 25th of May 2018. This was the day when the regulation came into force.
The GDPR applies to all countries in the European Union (EU) and the European Economic Area (EEA). It also applies to all organisations based in other countries that use the personal data of residents of countries in the EU and EEA.
WHAT DOES DATA PROTECTION COMPLIANCE MEAN? IS THERE A DEFINITION?
AN END TO THE CONFUSION ABOUT WHAT DATA PROTECTION COMPLIANCE MEANS
We frequently get asked, “what does data protection compliance mean?”. We have the answer but cannot claim ownership because it came from the UK’s Supervisory Authority, the Information Commissioner’s Office (ICO), at our request. Here is the ICO definition regarding UK data protection:
To demonstrate data protection compliance, an organisation must …
- Show respect for data protection principles.
- Have implemented appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the regulation.
UK data protection law is based on the GDPR, but the ICO definition is generic enough to be global.
So the answer to this question is another question: are you respecting your country’s data protection principles, and can you show supporting evidence?
This is true for the GDPR, the California Consumer Protection Act (CCPA), the Brazilian LPDG, the Canadian PIPEDA, and almost all others.
IS DATA PROTECTION IMPLEMENTATION A ONE-OFF, "TICK-BOX" PROJECT?
DATA PROTECTION IS A NEVER-ENDING TASK
We often hear statements like, “We implemented data protection a while ago. Now we have moved on to other things.”
Most people would agree that data protection compliance is a journey. There is evidence of this in a UK Information Commissioner article saying that data protection is a journey, possibly without end, so you are allowed to and are expected to continually address data protection issues as long as you have a compliant way of managing and controlling data protection.
If you have implemented a principle-based data protection set of management controls and are now operating within them, you have a compliant operation. This does not mean that every piece of personal data, process, contract, etc., your organisation holds has been remediated. However, it does mean that you have a compliant way of managing and controlling data protection.
If you did some data protection work and filed it away somewhere, you are not compliant. This is because data protection evolves and matures, and your organisation must work daily to keep on top of things.
DO UK ORGANISATIONS HAVE TO COMPLY WITH THE GDPR AFTER BREXIT?
BREXIT HAS IMPACTED THE UK’S DATA PROTECTION REQUIREMENTS AS FOLLOWS
FAQ accurate at the time of publishing, July 24, 2022.
UK organisations have to comply with the Data Protection Act 2018 which incorporates the entire GDPR so, for the moment, Brexit has no impact on the requirement for implementing the GDPR.
Changes have been announced for amendments to the Data Protection Act 2018 which will need to be implemented when finalised. The proposed changes are designed to remove data protection coverage rather than add to it.
The main challenge is whether or not the UK will lose its EU Adequacy Decision. If it does, there will be a significant amount of data protection work to align with the lack of an EU Adequacy Decision.
WHAT HAPPENS IF THE UK LOSES ITS ADEQUACY DECISION?
IT ONLY MATTERS IF YOU DEAL WITH EU RESIDENTS AND CITIZENS
It depends on whether you trade with the EU.
You will not be impacted if your organisation has no relationships with EU / EEA residents.
If your organisation deals with EU / EEA residents and citizens, you must establish a representative in an EU country.
If your organisation is importing personal data from the EU / EEA into the UK, you will need to revisit your contracts to ensure that the incoming data transfers are legal.
If you are not in a position to do this, contact us because we have the facilities to perform the remidial work and become your representatives.
WHAT SHOULD I EXPECT IF A REGULATOR DECIDES TO INVESTIGATE MY ORGANISATION?
REGULATORS ARE PUBLIC BODIES SO THEIR ACTIONS ARE PUBLIC RECORD
Here is what a regulator could do
- Request any information it requires for the performance of its tasks;
- Carry out data protection audits on your processing;
- Review your certifications;
- Get access to all the personal data and all information you hold that it needs to perform its tasks;
- Get access to your premises and the premises of any of your outsourced processing providers including data processing equipment.
Here are the types of sanctions and penalties a regulator could impose
- Issue a warning that intended processing is likely to result in a data protection law infraction;
- Issue a reprimand where your processing operations have caused a data protection law infraction;
- Order time-limited and monitored remediation work to take place that brings your processing operations into compliance;
- Order the communication of a personal data breach to all impacted individuals;
- Impose a temporary or definitive processing limitation that may include a ban on processing;
- Order the rectification, restriction or erasure of data;
- Order a certification body to revoke or not to issue a certificate;
- Impose administrative fines;
- Order the suspension of data transfers;
- Recommend civil or criminal legal action that may result in damage awards and imprisonment.
WHAT DO I NEED TO DO TO COMPLY WITH DATA PROTECTION LAWS AND REGULATIONS?
UNDERSTAND HOW YOUR ORGANISATION GOVERNS AND PROCESSES PERSONAL DATA
Despite all the rhetoric and scaremongering, data protection breaks down into a few, easy to understand critical components:
- A personal data governance structure
- A set of personal data protection policies
- A staff member to manage and operate the governance and manage the Supervisory Authority relationship (a Data Protection Officer or similar if you don’t need to appoint one)
- A training and awareness programme
- A process to facilitate individuals’ data privacy rights
- Records management
- Internal oversight and regulatory change management
- Data sharing and transfer management
- Third-party information sharing contract management
- Personal data risk assessment embedded in transformation and change
- Personal data security and access management
- Personal data breach detection measures and notification processing
A current state assessment against these components highlights gaps to be filled as needed.
There is no magic formula. All that is needed is a structured, methodical and pragmatic approach.
“The devil is in the detail” you may say. This is true, but if you have a structure, the detail is easier to allocate and address. With many small and well-chosen bites, the elephant in the room will disappear.
MY ORGANISATION CANNOT AFFORD A BIG BUDGET IMPLEMENTATION, WHAT CAN WE DO?
LIMITED BUDGET? IMPLEMENT YOUR OWN GDPR
Our Data Protection Controls (DPC) is a multi-tasking privacy management system that you can use in your organisation as software as a service, or you can easily contract as an outsourced service.
Whichever version you choose, your personal data privacy management will be centrally and transparently controlled and managed regardless of your company’s size. We are a pool of practical and pragmatic knowledge and experience.
HOW SHOULD I APPROACH DATA PROTECTION COMPLIANCE?
THINK OF DATA PROTECTION AS A CUSTOMER EXPERIENCE ENHANCING PRODUCT
Forget the scary stuff and look at data protection as a customer confidence builder.
Implementing data protection is something that sets you apart from competitors.
It is a show of respect for personal data, something very positive.
Data protection a compliance exercise but it is also a blueprint for a free, value-added product that can only benefit your organisation.
Approach it with a positive attitude and you will succeed.
WHAT IS THE MINIMUM I NEED TO DO TO IMPLEMENT DATA PROTECTION COMPLIANCE?
GET IN TOUCH FOR MORE ADVICE AND IMPLEMENTATION RESOURCES
Delivering data protection compliance should be practical and pragmatic. Data protection needs an implementation that is appropriate and proportionate.
- Taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, you should implement appropriate technical and organisational measures to ensure and be able to demonstrate that processing is performed following data protection regulations. Furthermore, the measures must be periodically reviewed and updated when necessary.
- Where proportionate concerning processing activities, the measures must include implementing appropriate data protection policies.
Implementation basics include:
- A documented understanding of your processing
- A protective outer layer manifested in all contracts and agreements that involve personal data showing each party’s accountability, responsibility, liability and role
- An inner governance structure comprising policies, management, controls, standards and procedures
- An oversight function to measure, report, quality assure and interact with the supervisory authority
- Training for all staff members
ARE THERE ANY CIRCUMSTANCES WHEN DATA PROTECTION IS NOT REQUIRED?
ONLY A SELECT FEW AREAS ARE EXEMPT
The only areas that are usually exempt from complying with personal data protection law are the processing of personal data:
- by an individual in the course of a purely personal or household activity;
- in the course of an activity which falls outside the scope of national law;
- for specific use in a country’s foreign policy; and
- by competent authorities for crime prevention and the prevention of threats to public security.
Points 3 and 4 are normally applied to military and law enforcement activities so they are subject to a different set of data laws where personal data protection does not apply.
Data Protection Controls
Calle de la Caléndula 93, Miniparc III, Edificio E, 28109, Alcobendas, Madrid, Spain
+34 915 553 975