The Data Protection Act (DPA) will soon be replaced with a new General Data Protection Regulation (GDPR). This will come into effect from 25 May 2018 and surveys to date indicate a woeful lack of awareness and readiness for the impact of this regulation.
The GDPR will significantly expand the scope and reach of data protection going forward. This means that most companies cannot rely on their Legal and Security officers to champion DPA compliance and safeguard personal data processed by the company (and 3rd parties). Going forward, companies need to embrace data protection as a core competence as the reputational risks and regulatory fines can put you out of business.
GDPR introduces an Accountability Principle that makes the data controller (your company) responsible for demonstrating compliance and for notifying the authorities of any breeches. This means that data protection changes from a reactive tick-box approach to a proactive business-critical approach.
The GDPR will significantly expand the scope and reach of data protection going forward. This means that most companies cannot rely on their Legal and Security officers to champion DPA compliance and safeguard personal data processed by the company (and 3rd parties). Going forward, companies need to embrace data protection as a core competence as the reputational risks and regulatory fines can put you out of business.
GDPR introduces an Accountability Principle that makes the data controller (your company) responsible for demonstrating compliance and for notifying the authorities of any breeches. This means that data protection changes from a reactive tick-box approach to a proactive business-critical approach.
Going back to basics, we used the Information Commissioner's questions to check people's current understanding of personal data. We gave a number of examples and asked for personal data to be identified, e.g. car number plate, business contact, conference attendee, blog post comment, email address, group photo from sports club, blood test results.
We received a range of different responses and concluded that it is very difficult to correctly identify when data is personal. The reason for this difficulty is that under GDPR, the correct interpretation depends on the specific context for the data. Most employees would want to be told in clear and simple terms what data falls within GDPR, but that will not be possible. Instead, we suggest that you treat all data with the same protection as personal data and make exceptions for data that is confirmed as non-personal. Note that non-personal data can become personal data if the context changes or new data is added to existing data.
We received a range of different responses and concluded that it is very difficult to correctly identify when data is personal. The reason for this difficulty is that under GDPR, the correct interpretation depends on the specific context for the data. Most employees would want to be told in clear and simple terms what data falls within GDPR, but that will not be possible. Instead, we suggest that you treat all data with the same protection as personal data and make exceptions for data that is confirmed as non-personal. Note that non-personal data can become personal data if the context changes or new data is added to existing data.