If you are already preparing for GDPR, and with VinciWorks GDPR Guide to Compliance and our Data Protection: Privacy at Work course, you already should be, then most of what is in the Data Protection Bill will not be news to you. However this will explain the key points of the new Data Protection Bill that are different from GDPR.
Running to over 200 pages, with 194 clauses, 18 schedules and 112 pages of explanatory notes, the government describes the Bill as a “complete data protection system.” That system already exists however, and it’s called the General Data Protection Regulation.
The Bill is essentially Brexit-proofing GDPR by bringing in the European standard of data protection, along with allowed UK exemptions, no matter if, when or how the UK leaves the EU. Also the Bill is necessary to implement a single data protection regime as GDPR, as a European Directive, only applies to areas of law under EU competency. The Bill itself says things like: “Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter 2 as they have in the GDPR.” So there’s no reason to throw out all the GDPR compliance work you might have done so far. Indeed, now is the time to speed it up.
As the countdown to GDPR implementation progresses, we have refreshed our course Data Protection: Privacy at Work to ensure users benefit from the latest in policy and practice.
New modules have been added and existing ones updated to take account of the coming data protection regime; both across Europe and in the UK specifically with the introduction of the new Data Protection Bill.
Global Data Protection Module
An in-depth, line by line comparative analysis of data protection legislation and regulations across more than 70 major countries. View a summary of data protection rules compared to GDPR for one country at a glance, or compare and contrast multiple jurisdictions to ensure staff all around the world understand their data protection obligations.
The threats to your personal and professional cyber security are ever-growing, with the needs of each organisation and employee varying. VinciWorks has therefore added a further 6 apps to it’s bank of available customisations.
Cyber Security and IT
A module for IT professionals covering steps to take during a cyber attack and the latest on security methods to keep your organisation safe.
What constitutes acceptable use of company resources? Review the do’s and don’ts of the fair and proper use of business equipment and protect it from unauthorised access.
The UK government is hoping the new Data Protection Bill will ensure a smooth transition to GDPR
The UK government has published its proposal to implement GDPR into UK law in a new Data Protection Bill. While GDPR will automatically come into force in the UK in 2018, the Bill is designed to ensure a smooth transition to a new data protection landscape regardless of Brexit, as well as implement key UK derogations.
Set to be introduced in September, the legislation will enshrine the fundamental principles of GDPR, including:
- The right to be forgotten
- Expanded definition of personal and sensitive personal data
- Expanded rights to access personal data
- Tighter rules on gaining consent
- New criminal offences to protect people from being identified by anonymous data and from having their data altered
- New powers for the Information Commissioner’s Office to fine companies £17m or 4% of global turnover
General Data Protection Regulation (GDPR) comes into force in exactly one year. If you are unprepared, this regulation could have a drastic impact on your business and how you collect data. The regulation creates significantly more rights and protections for data subjects, and imposes heavy fines on businesses that fail to comply.
The changes you may have to make to comply with GDPR include:
- Assessing and justifying all of your data collection
- Revising your privacy, data protection and cyber security policies
- Designing systems for new data rights including the right to be forgotten and the right to data portability
- Appointing a Data Protection Officer and implementing a “privacy by design” process
The webinar guides you through the first steps you need to take to become compliant. It will help you understand how the changes under GDPR will affect your organisation and how you should begin planning.
Ransomware attacks computers in 150 countries
On Friday hundreds of thousands of computers were held to digital ransom as a cyber security attack spread around the world. The cyber weapon, allegedly stolen from the US National Security Agency (NSA), even locked NHS staff out of their systems, forcing hundreds of critical operations to be cancelled and staff having to turn away sick patients at the door. The attack spread quickly and installed malware onto over 200,000 computers, demanding payments of up to $600 in return for the data. With cyber security experts expecting more attacks imminently, this latest attack shows everyone needs to understand cyber security and make it a top priority.
The cyber attack that began with spam emails
The attack began with targeted phishing emails appearing to contain job offers, security warnings and invoices, as well as people’s own personal files. Once the files were unassumingly downloaded, the ransomware was able to spread across large networks. This makes understanding how to protect against cyber attacks more important than ever, with the opening of phishing emails often having the ability to affect computers across a whole network.
Article 5 of the General Data Protection Regulation requires demonstrable compliance with the new regulations. With GDPR set to come into force in May 2018, ensuring your staff are aware of your organisation’s data protection policies is now more important than ever.
Data protection changes under GDPR
Are you familiar with GDPR? Does your organisation have a process for data portability? GDPR legislation now allows individuals to obtain and reuse their personal data for their own purposes across different services. Other changes include the requirement for certain organisations to appoint a Data Protection Officer. Further, under GDPR, sensitive information now includes biometric and genetic information. This means that organisations should familiarise themselves with GDPR and ensure staff understand how to process personal data.
The General Data Protection Regulation (GDPR) is set to come into full force in May 2018. It will present the most significant change to EU data protection in 20 years, meaning organisations must update their policies to ensure they are compliant. Further, all staff who are involved with the processing and storing of data must be familiar with their organisation’s data protection policy. We have therefore provided a data protection policy template to help your staff understand and follow your organisation’s data protection procedures.
The data protection policy should include:
Who is responsible for the data protection policy?
Staff should know who to approach if they have any questions regarding the data protection policy or anything related to the processing of personal data. Under GDPR, certain organisations are required to appoint a Data Protection Officer (DPO). It will be their role to advise the company on the rules needed to ensure compliance with data protection laws.
The risks of a hard brexit
Regardless of what the UK does with GDPR after Brexit, the biggest threat to data protection is from an exit from the EU without any deal. This is the so-called hard Brexit and fallback to World Trade Organisation rules until a further agreement is reached, or not. It’s the kind of Brexit Theresa May and many inside the Conservative party and Leave camp have called for. As we have seen, the crucial component for the UK after Brexit is to be judged as offering an adequate level of protection by the European Commission.
A hard Brexit with no deal means no assessment of adequacy. Furthermore, the UK cannot apply to the European Commission for an assessment of adequacy, that determination can only be given by the Commission itself. If the negotiations turned sour and both parties decided to walk away with no deal, perhaps due to the estimated €60bn leaving bill, there might not be much goodwill left to speed up a UK adequacy determination for GDPR.
Changes to Data Protection Under GDPR
Data protection law in the UK is based on the 1998 Data Protection Act. However, with continued changes in technology, 20 years on that law looks outdated and not relevant to the data protection concerns we face today. In May 2018, the General Data Protection Regulation (GDPR) will replace the Data Protection Act and will impose many new responsibilities and sanctions on organisations. Despite all the noise around GDPR, the eight principles of data protection layed out in the 1998 Data Protection Act will remain relevant, with changes to some of the key principles. Below is an overview of the eight principles of data protection, with guidance on the changes and what they could mean for your business.
The Eight Principles of Data Protection
1. Fair and lawful
Your organisation must have legitimate grounds for collecting the data and it must not have a negative effect on the person or be used in a way they wouldn’t expect. Organisations are required to provide full transparency about how they wish to use the data, as well as ensure their data is only used in ways customers would expect. Detailing precisely what a consumer’s information is being used for allows them to make an informed decision as to whether to share certain pieces of personal information.
Changes under GDPR
Under GDPR, conducting criminal record checks on employees must be justified by law. For example, a school is far more likely to be permitted to carry out such checks on their teachers than a restaurant hiring kitchen staff.