Data protection frequently asked questions
- What is the General Data Protection Regulation (GDPR)?
- What does data protection compliance mean? Is there a definition?
- Is data protection implementation a one-off, "tick-box" project?
- The UK plans to leave the EU. Do UK organisations have to comply with the GDPR?
- Why should I bother implementing GDPR?
- What should I expect if a regulator decides to investigate my organisation?
- How is GDPR compliance monitored and enforced?
- What do I need to do to comply with GDPR?
- My organisation cannot afford a big budget implementation, what can we do?
- How should I approach GDPR compliance?
- If the UK crashes out of the EU, what else do I have to do with respect to the GDPR?
- What is the minimum I need to do to get GDPR compliant?
- Are there any business areas that do not need to comply with the GDPR?
What is the General Data Protection Regulation (GDPR)?
The GDPR is the European Union's data protection regulation
The GDPR is a data protection regulation that protects fundamental rights and freedoms of natural persons and is focused on their right to the protection of personal data.
It should be considered a value-adding product that demonstrates your company's respect for personal data. GDPR presents significant competitive advantage opportunities. It shows customers that your organisation respects their right to privacy and that their data is safe in your hands.
The implementation deadline was Friday the 25th of May 2018. This is the day when the regulation came into force.
The GDPR applies to all countries in the European Union (EU) and the European Economic Area (EEA). It also applies to all organisations based in other countries that us the personal data of residents of countries in the EU and EEA.
What does data protection compliance mean? Is there a definition?
An end to the confusion about what data protection compliance means
We frequently get asked "what does data protection compliance mean?". We have the answer, but we cannot claim ownership because it came from the UK's Supervisory Authority, the Information Commissioner's Office (ICO) at our request. Here is the ICO definition regarding UK data protection:
To demonstrate data protection compliance, an organisation must ...
- Show respect for data protection principles
- Have implemented appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the regulation.
UK data protection law is based on the GDPR, but the ICO definition is generic enough to be global. The answer is another question: are you respecting your country's data protection principles and can you show supporting evidence?
This is true for the GDPR, the California Consumer Protection Act (CCPA), the Brazilian LPDG, and almost all others.
Is data protection implementation a one-off, "tick-box" project?
Data protection is a never-ending task
We often hear statements like "We implemented data protection a while ago. Now we have moved on to other things."
Most people would agree that data protection compliance is a journey. There is evidence of this in a UK Information Commissioner article saying that data protection is a journey, possibly without end, so you are allowed to and are expected to continually address data protection issues as long as you have a compliant way of managing and controlling data protection.
If you have implemented a principle based data protection set of management controls and you are now operating within them, you have a compliant operation. This does not mean that every single piece of personal data, process, contract, etc. your organisation holds has been remediated. It does mean that you have a compliant way of managing and controlling data protection.
If you did some data protection work a while ago and filed it away somewhere, you are not compliant. Data protection evolves and matures and your organisation must work every day to keep on top of things.
Do UK organisations have to comply with the GDPR after Brexit?
Brexit has no impact on data protection implementation requirements
UK organisations have to comply with the Data Protection Act 2018 which incorprates the entire GDPR so Brexit has no impact on the requirement for implementing the GDPR.
Why should I bother implementing GDPR?
Data protection compliance is good for business!
Enhance your image and trust
Some of your competitors will already have implemented data protection. If you chose not to, they will have an advantage over you. They will be able to tell their customers, suppliers, etc. “you can trust us with your personal data”.
Data protection will have certification ratings in the future. Not being able to show a rating will probably have negative financial consequences on your business.
By implementing data protection in your organisation you show that your organisation respects personal data and people can trust what you do with their personal data.
Avoid the financial and reputational consequences
Financial penalties can be high. GDPR fines can exceed 20 million Euros. In addition, individuals may be awarded damages should the outcome of a complaint be determined in a court of law. Directors may also be held to account and may also face fines and the possibility of imprisonment.
These penalties and other actions will be public domain knowledge.
Non-compliance is always an option but it is not recommended
Organisations will or will not comply with GDPR. The choice is down to the Directors and their risk appetite.
Some organisations are willing to take the risk that it will never happen to them.
If your organisation is willing to risk news headlines, negativity on social networks, fines of 20 million Euros or more, prohibition of processing, criminal charges against Directors and court awards for damages, don’t do anything.
What should I expect if a regulator decides to investigate my organisation?
Regulators are public bodies so their actions are public record
Here is what a regulator could do
- Request any information it requires for the performance of its tasks;
- Carry out data protection audits on your processing;
- Review your certifications;
- Get access to all the personal data and all information you hold that it needs to perform its tasks;
- Get access to your premises and the premises of any of your outsourced processing providers including data processing equipment.
Here are the types of sanctions and penalties a regulator could impose
- Issue a warning that intended processing is likely to result in a data protection law infraction;
- Issue a reprimand where your processing operations have caused a data protection law infraction;
- Order time-limited and monitored remediation work to take place that brings your processing operations into compliance;
- Order the communication of a personal data breach to all impacted individuals;
- Impose a temporary or definitive processing limitation that may include a ban on processing;
- Order the rectification, restriction or erasure of data;
- Order a certification body to revoke or not to issue a certificate;
- Impose administrative fines;
- Order the suspension of data transfers;
- Recommend civil or criminal legal action that may result in damage awards and imprisonment.
How is data protection compliance monitored and enforced?
Based on volume, your main risk comes from individuals
All countries that have a data protection law have an overseeing regulator. Regulators have the right to perform spot checks and make requests for evidence of compliance. Failure to provide evidence is usually considered a serious infraction.
Every individual for which an organisation holds personal data has the right to lodge a complaint with the Regulator. Depending on the severity of the complaint, the Regulator may launch an investigation. Individuals comprise everyone whose records are held. These could be customers, students, employees, professional contacts, suppliers, consultants, external experts, etc. Every individual in your records is a potential source of complaint.
The risk of a regulator performing a spot check or requesting information is low. The risk of a disgruntled individual lodging a complaint with the regulator is much higher purely on the basis of volume.
What do I need to do to comply with data protection laws nd regulations?
Understand how your organisation governs and processes personal data
Despite all the rhetoric and scaremongering, data protection breaks down into a few, easy to understand key components:
- A personal data governance structure
- A set of personal data protection policies
- A staff member to manage and operate the governance, and manage the Supervisory Authority relationship (a Data Protection Officer or similar if you don’t need to appoint one)
- A training and awareness programme
- A process to facilitate individuals' data privacy rights
- Records management
- Internal oversight and regulatory change management
- Data sharing and transfer management
- Third party information sharing contract management
- Personal data risk assessment embedded in transformation and change
- Personal data security and access management
- Personal data breach detection measures and notification processing
A current state assessment against these components highlights gaps which are then filled as needed.
There is not magic formula. All that is needed is a structured, methodical and pragmatic approach.
“The devil is in the detail” you may say. This is true, but if you have a structure, the detail is easier to allocate and address. With many small and well-chosen bites, the elephant in the room will disappear.
My organisation cannot afford a big budget implementation, what can we do?
Limited budget? Implement your own GDPR
Our Data Protection Controls (DPC) is a multi-tasking privacy management system that either you can use in your organisation as software as a service (click here to log in) or you can easily contract as an outsourced service.
Whichever version you choose, your personal data privacy management will be centrally and transparently controlled and managed regardless of your company's size. We are a fountain of practical and pragmatic knowledge and experience.
How should I approach data protection compliance?
Think of data protection as a customer experience enhancing product
Forget the scary stuff and look at data protection as a customer confidence builder.
Implementing data protection is something that sets you apart from competitors.
It is a show of respect for personal data, something very positive.
Data protection a compliance exercise but it is also a blueprint for a free, value-added product that can only benefit your organisation.
Approach it with a positive attitude and you will succeed.
If the UK crashes out of the EU, what else do I have to do with respect to data protection?
Important if you deal with EU residents and citizens
This depends whether you trade with the EU.
If your organisation has no relationships whatsoever with EU / EEA residents, you will not be impacted.
If your organisation deals with EU / EEA residents citizens, you will have to establish a representative in an EU country.
If your organisation is importing personal data from the EU / EEA into the UK, you will need to revist your contracts to ensure that the incoming data transfers are legal.
If you are not in a position to do this, contact us because we have the facilities to become your representatives.
What is the minimum I need to do to implemet data protection compliance?
Get in touch for more advice and implementation resources
Delivering data protection compliance should be practical and pragmatic. Data protection needs an implementation that is appropriate and proportionate.
- Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, you should implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with data protection regulations. The measures must be periodically reviewed and updated when necessary.
- Where proportionate in relation to processing activities, the measures must include the implementation of appropriate data protection policies.
Implementation basics include:
- A documented understanding of your processing
- A protective outer layer manifested in all contracts and agreements that involve personal data showing each perty's accountability, responsibility, liability and role
- An inner governance structure comprising policies, management, controls, standards and procedures
- An oversight function to measure, report, quality assure and interact with the supervisory authority
- Training for all staff members
Are there any circumstances when data protection is not required?
Only a select few areas are exempt
The only areas that are usually exempt from complying with personal data protection law are the processing of personal data:
- by an individual in the course of a purely personal or household activity;
- in the course of an activity which falls outside the scope of national law;
- for specific use in a country's foreign policy; and
- by competent authorities for crime prevention and the prevention of threats to public security.
Points 3 and 4 are normally applied to military and law enforcement activities so they are subject to a different set of data laws where personal data protection does not apply.