The General Data Protection Regulation (GDPR) is a European Union (EU) law governing the processing of personal data. ‘Personal data’ is information about any living, identifiable person, whilst ‘processing’ refers to what the data is used for and the way it is treated (e.g. it may be stored on a server) once it has been gathered. GDPR applies to all organisations within the EU as well as any outside of the EU that supply goods/services to, or monitor citizens within, the EU.

Since the UK was still in the EU at the time of GDPR’s implementation in May 2018, and since it was also a driving force behind constructing the new legislation, the country is bound to comply with GDPR regulations. The way in which the UK implemented GDPR was through the Data Protection Act (DPA) 2018 – an updated DPA that is GDPR compliant. It is likely that, post-Brexit, the DPA 2018 will remain in place (in June 2017, The Queens’ Speech explained that GDPR would become a part of UK law after we leave the EU), but the UK will be able to make amendments.

There is widespread apprehensions regarding how a post-Brexit UK could operate without the security of the EU single market. Whilst the progression of the UK through Brexit negotiations is uncertain, we may still consider some hypothetical outcomes.

The European Single Market

The European Single Market is a common market ensuring free movement within the EU. It consists of EU member states, EFTA member states (Iceland, Liechtenstein and Norway) and Switzerland. The EU and EFTA together form the European Economic Area (EEA). The EEA agreement includes:

Free movement of goods, persons, services and capital
System to prevent competition being distorted
Closer cooperation in some other fields, like research, environment, education and social policy
The GDPR prevents EU data being exported outside of the EEA unless adequate safeguards are in place. Whilst Article 50 stated the UK’s leave from the EU, no reference was made to our membership status within the EEA. Therefore, when the UK leaves the EU, it will not necessarily leave the EEA. Those pushing for a ‘softer’ Brexit are urging the UK to remain part of the EEA, which would mean that free transfer of data to the UK would be permitted under the GDPR.

Adequacy Decision

Another hypothetical post-Brexit scenario is if the UK leaves both the EU and the EEA, it would then be classed as a third country. As a third country, we would hopefully come to an adequacy agreement with the EU. In this situation, the EU will examine the UK’s legal framework, domestic regulator and international commitments to data protection rules. If we achieve an adequacy agreement then EU member states are free to transfer their citizen’s data to UK organisations for processing.

If we fail to secure a positive adequacy decision, data transfer could still occur, but only if the UK puts in place appropriate safeguards such as standard contract clauses or binding corporate laws. This would incur extra costs for businesses and more restriction. For this reason, an adequacy decision would be the preferred option.

Data Protection Post-Brexit

The UK’s decision to remain largely compliant with GDPR, even after exiting the EU, should facilitate a smooth transition, however the realities of this endeavour are yet to be uncovered. Similarly, the future of the Information Commissioner’s Office (ICO), the UK’s data protection regulator, within international negotiations is uncertain. Hopefully, it will have continued involvement in international data protection talks, but this is yet to be established. For now, at least, businesses must continue to comply with GDPR as it is current UK law.

It is important to remember that regardless of our data protection policies post-Brexit, businesses that wish to supply goods or services to, or conduct monitoring of, EU citizens will have to continue complying with GDPR.

The newly implemented General Data Protection Regulations (GDPR) across Europe has been dramatised, as critics have suggested that GDPR is going to cost businesses a lot of money to implement the regulations. However, this isn’t necessarily the case. In-fact, businesses will benefit from GDPR, as the new regulations offer security, co-operation and the opportunity to process data efficiently. If your business implements GDPR in advance, you will be one step ahead of your competition, and on track to create a stable and fair platform for data management.

The Information Commissioner’s Office (ICO) is here to help:

Critics have attempted to scaremonger businesses with the threat of the ICO, the public body responsible for administering the repercussions of a data breach. The ICO does have the legal right to fine an organisation up to €20 million or 4% of the business’ global turnover, but this is rare.

The threat of a fine from the ICO appears intimidating, but this is the ICO’s most severe penalty, and one which they will only impose on the most extreme data breaches. For example, the ICO in 2016 only fined 16 organisations out of the 17,300 cases which they had to deal with.

Elizabeth Denham, the British Information Commissioner, has clearly addressed the role of the ICO and attempted to debunk myths surrounding it. Essentially, the ICO is established to protect a citizen’s data rights, not to punish businesses unfairly. Denham notes that the ICO prefer to guide and help businesses with their GDPR compliance, not to punish them.

Consequently, the ICO administer warnings, corrective orders and reprimands, more so than they do monetary fines. However, warnings and corrective orders can tarnish a business’ reputation, therefore it is wise to avoid these penalties.

The ICO offer advice and guidelines for businesses to help them with administering their protection regulation, so that penalties don’t have to occur. Therefore, the ICO is a supportive public body, which should not be feared by businesses. The GDPR and the ICO simply want to ensure that a citizen’s rights are prioritised, and therefore this should not shock or intimidate any businesses.

Why GDPR compliance is beneficial to a business:

Data management will fall under the scope of many sectors in a business, therefore the transmission of data across a business creates a co-operative and interactive environment. From the security team to the sales team, data management needs to be conducted in a uniform process. Therefore, different teams in the business are now forced to work together to achieve data protection and really make the data valuable.

The articles set out in the GDPR aim to achieve transparency, accuracy and accessibility of personal data in a business. Through advertising qualities such as these, a business appears to be more competent and secure, therefore customers would rather store their personal data in a business which is GDPR compliant, instead of a business which is not. Consequently, the business which is GDPR compliant, achieves a competitive edge.

Implementing GDPR is an incentive to modernise your business. So, not only will data protection allow your business to become transparent, it will also encourage a business to consider their customers’ rights and needs. Customers who are supplying their personal data to businesses, want to trust that particular business. Therefore, businesses need to consider how they can further satisfy their customers.

Which industries will benefit from GDPR compliance the most?

To demonstrate how GDPR compliance can benefit a specific business, we can look to the insurance industry. The majority of insurance companies have welcomed the changes brought about by GDPR. This is because insurance companies hold the personal data of many customers, therefore they have welcomed changes to their data management procedures.

The GDPR demands that data subjects must be able to access their personal data easily through data access requests. Consequently, businesses have been encouraged to consolidate their personal data banks, ensuring they are accurate, up-to date and all kept together in a clear, concise fashion. Therefore, businesses can now locate and utilise this data more easily than before. Insurance companies have referred to the consolidation of personal data banks as “the golden record” or the “Customer 360 view.”

Aviva, the renowned British insurance company, issued notices to their customers via their website to let their customers know that Aviva’s GDPR compliance procedure is under way. Therefore, it appears that Aviva are embracing the GDPR changes and ensuring their data management is cemented to uphold the new protection regulation.

It is essential that businesses are not intimidated by the changes which they will have to make to become GDPR compliant. To avoid data breaches and to ensure your business it as competitive and successful as possible, implementation and GDPR compliance is a must.

In this article:

  • What does GDPR stand for?
  • Why is GDPR important?
  • Who does GDPR apply to?
  • The key aspects of GDPR
  • Why was GDPR needed?
  • Does GDPR replace the DPA?
  • How to become GDPR compliant

What does GDPR stand for?

GDPR stands for General Data Protection Legislation. It is a European Union (EU) law that came into effect on 25th May 2018. GDPR governs the way in which we can use, process, and store personal data (information about an identifiable, living person). It applies to all organisations within the EU, as well as those supplying goods or services to the EU or monitoring EU citizens.

Therefore it is essential for businesses and organisations to understand explicitly what GDPR means. It is the legislative force established to protect the fundamental rights of data subjects whose personal information and sensitive data is stored in organisations. Data subjects will now have the right to demand subject access to their personal information, and the right to demand that an organisation destroys their personal information. These regulations will affect most sectors within business, from marketing to health services. Therefore, to avoid the crippling fines administered by the Information Commissioner’s Office (ICO) it is essential to become GDPR compliant.

GDPR Key Principles:

  • Lawfulness, transparency and fairness
  • Only using data for the specific lawful purpose that it was obtained, the most lenient of which is legitimate interests
  • Only acquiring data that we strictly need
  • Ensuring any data we possess is accurate
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

Why Is GDPR Important?

Primarily GDPR is important since it provides a single set of rules for all EU organisations s to adhere to, thus giving businesses a level playing field and making the transfer of data between EU countries quicker and more transparent. It also empowers EU citizens by giving them more control over the ways in which their personal data is used.

Prior to introducing the new GDPR legislations, the European commission found that a mere 15% of citizens felt that they had complete control over the information that they provided online. With such low trust amongst the general public it is clear that consumer habits will ultimately be affected. Measures to rebuild this confidence, through introduction and proper implementation of GDPR, are expected to increase trade.

Thorough implementation of data protection policies and staff education are important as non-compliance could result in a data breach. The Information Commissioner’s Office (ICO) can issue fines of up to 4% of your annual turnover or €20 million, whichever is greater, in the event of a serious data breach. Data protection training is a necessity in mitigating the risk of data breaches.

Who Does GDPR Apply To?

The General Data Protection Regulation (GDPR) governs the way in which personal data is gathered and handled in the European Union (EU). Personal data is defined as any information relating to an identified or identifiable, living person. GDPR applies to any individual or organisation that handles personal data within the EU. Countries outside of the EU that handle personal data are known as ‘Third Countries’ under GDPR. They may have their own data protection legislation but they are required to comply with GDPR in the following circumstances:

When supplying goods/services to the EU
When processing data about citizens residing within the EU

The key aspects of GDPR:

GDPR has replaced the 1995 Data Protection Directive, which established minimum requirements for data protection across Europe. This moderate approach to data protection, prior to 2018, led to a series of data breaches and scandals, allowing the compromise of data subjects’ personal information. Now, the changes established in the GDPR will provide better protection of data subjects’ fundamental rights.

  • Extended Jurisdiction: The GDPR now applies to any organisation which processes personal data of data subjects who are in the EU. This means that GDPR applies to big and small organisations, in and outside of the EU.
  • Consent: There is a strict focus on consent, it has to be specific and clear.
  • Right to Access: A data subject can issue a subject access request to view their personal information, and an organisation must comply.
  • Right to be Forgotten: A data subject can demand that their personal information is destroyed by a data controller.
  • Data Protection Officer: Data controllers are now expected to have a DPO in their team, to ensure data protection regulations are being upheld.
  • Penalties: The ICO can now issue much harsher repercussions for a data breach, this includes fining an organisation up to €20 million or 4% of an organisation’s global turnover, whichever is highest.
  • Why was GDPR needed?

    Society is now more data-driven than ever, therefore the vast amount of sensitive data stored upon computers, has resulted in a rise in cyber-attacks and data breaches.

    Phishing Emails

    Phishing is one of the key ways that cyber-criminals can infiltrate personal information using scam emails, and even alter bank details and account details. The common nature of this sort of cyber-attack has now resulted in GDPR being essential to prevent it from happening so often.

    Organisations need to be aware of emails which might contain viruses, to protect their company’s IT network. If a virus manages to infiltrate an organisation’s hard drive, then personal information of customers and employees will be compromised, and a data breach will occur.

    Organisations should implement email encryption, so that personal information included in the emails can’t be infiltrated by cyber hackers. A data controller can use a secure email gateway to prevent emails containing malware, phishing attacks or spam, from reaching an organisation. Consequently, to be GDPR compliant an organisation needs to organise the installation of a secure email gateway to monitor their emails.

    Office 365 and GDPR

    Many organisations and businesses use Office 365’s software to store vital information, such as tables with employee personal data and sensitive data, business contracts and annual reviews. Therefore, Office 365 have the responsibility to ensure this data is protected.

    Office 365 utilises a cloud software, therefore up to 85% of businesses store their data in the cloud. Despite this data being stored in a cloud, Office 365 still need to remain GDPR compliant. To do so, Office 365 have utilised auto-label policies and intelligent content searches to help locate personal information easily. Therefore, Office 365 has proved its GDPR compliance, through ensuring personal data is transparent and easy to locate.

    End User Consent

    The GDPR has imposed tighter control on end user consent, when processing personal data. The GDPR takes the stance that a data subject must be informed of the processes which will be used to store their personal data. Subsequently, it will then be the data controller’s responsibility to make the processing of personal data available to the data subject. The user will then be able to put an end to their consent, once they feel that a data controller no longer needs their personal information, or that there may be harm to the personal information.

    Two-Factor Authentication

    Article 32 of the GDPR stipulates that an organisation should apply technical measures to protect personal information, such as through two-factor message authentication. This two-factor message authentication should be applied to systems which process personal information, such as mobile devices which should be encrypted.

    GDPR should not intimidate organisations, because if the regulations and safeguards are implemented clearly, there should be no problems and no reason for the ICO to get involved.

    Does GDPR replace the DPA?

    The Data Protection Act (DPA) 1998 was superseded by the European Union (EU)’s General Data Protection Regulation (GDPR) on 25th May 2018. Prior to 25th May 2018, the ruling UK data protection legislation was the Data Protection Act (DPA) 1998. The DPA was brought in at the end of the 20th century as computers became increasingly commonplace in businesses. However, by 2018, the DPA was admittedly outdated and no longer reflected the digital/technological age in which we live. For example, a vast proportion of individuals in the UK use social media, many of us possess more than one digital device (phones, tablets, laptops), and almost all businesses rely on computer networks. The digital world that we live in has changed the way we process information, and the laws were updated accordingly.

    How to become GDPR compliant

    In order to become GDPR compliant, you must first understand the rights of the individual granted by the legislation. They are as follows:

    • Right to be informed of how your data is being processed
    • Right to access this data
    • Right to rectify incorrect data
    • Right to erase data
    • Right to restrict processing of personal data
    • Right to data portability – this means that as a business you will need to put in place a system by which you can quickly and easily compile all the personal data you hold on an individual and make it securely accessible to them
    • Right to object to your data being processed
    • Rights relating to automated decision making, including processing

    Organisations must then identify their role in the flow of data, e.g. are they a data controller or a data processor? Data controllers determine why personal data will be used and what for. Data processors are individuals or companies that process personal data on behalf of the data controller.

    Whilst data controllers have retained ultimate responsibility for protecting their data, data processors too are required to comply with GDPR when processing and storing personal data. Data controllers should draw up a written contract agreeing that their processors will comply with their data policies and ensure it is signed by all third parties.

    Under GDPR, it is important to identify the lawful basis for processing personal data. The acceptable reasons are:

    • Consent
    • Contract
    • Legal obligation
    • Vital interests
    • Public task
    • Legitimate interests

    When processing special category data, sensitive personal information, the grounds on which it can be lawfully used differ. Processing requires both a lawful basis and a special category condition.

    The GDPR requires some organisations to appoint a Data Protection Officer (DPO). A DPO is removed from the daily processing activities of your organisation but is responsible for ensuring GDPR compliance. You must appoint one if: you are a public authority; perform regular large-scale monitoring of individuals as a core activity; conduct large scale processing of special category data or information on criminal convictions/offences as a core activity.

    Businesses must conduct a Data Protection Impact Assessment (DPIA) if a processing activity is likely to result in a high risk to individuals. This is intended to identify and minimise risk to individuals’ personal data. The risk assessment considers both the likelihood and severity of impact of the risk. If whilst conducting a DPIA you identify a high risk which you cannot mitigate, you must inform the ICO.

    Consent is also more tightly regulated under GDPR, meaning that businesses need to familiarise themselves with these new requirements. Consent must be freely given, clear, specific, unambiguous, and indicated by a positive affirmative action. Any consent you have obtained in the past needs to meet these requirements too and must be reobtained if not.

    Stating GDPR compliance is no longer enough, it must now be demonstrated. You are required to issue a privacy policy to inform your data subjects how their personal data will be used. You should also draw up a plan for if a data breach occurs.

The General Data Protection Regulation (GDPR), an EU-wide law, has applied since 25th May 2018 and was implemented in the UK through the Data Protection Act 2018. The regulation was announced on 27th April 2016, allowing data controllers and organisations over two years to ensure compliance.

Whilst the GDPR did not apply to businesses until the 25th May 2018, it technically came into force on 26th May 2016. It was at this point that data controllers started to put strategies in place to become GDPR compliant. Accordingly, by 25th May 2018, companies were expected to be compliant and could be prosecuted for non-compliance from this date.

Prior to the introduction of the GDPR, UK data protection policies were regulated by the Data Protection Act (DPA) 1998. Thus was the UK’s implementation of the EU’s Data Protection Directive 1995 (just like the DPA 2018 is the UK implementation of the GDPR).

Why Was the GDPR Adopted?

The EU’s Data Protection Directive 1995 led to each member state implementing is own national law. Whilst they all strived towards the same objectives, they nevertheless differed slightly in their approach to handling personal data. These mismatches slowed down and inhibited free movement of data across borders within the EU. Following implementation of the GDPR, all member states will have to adhere to the same rules, and data can be freely transferred around the EU whilst still being protected and secured under GDPR directives. This facilitates free and easy data flow which benefits individuals and organisations around the EU.

The DPA 1998 was passed before the birth of social media and other digital technologies we use much more frequently in the new Millennium. With such vast quantities of digital data being collected and stored, new legislation was required to address how this could and should be processed to maintain privacy. A public example of the necessity for raised awareness about personal data protection was the Facebook/ Cambridge Analytica scandal in which the sensitive personal data of 87 million Facebook users was inappropriately harvested and used for political gain by Cambridge Analytica. Data included public profile, page likes, birth-dates and address information. Some users also their news feed, timeline and messages infiltrated.

Cambridge Analytica used the information to compile psychographical profiles of Facebook users and then target them with advertisements. It is thought that the data was used to influence the 2016 US election in Trump’s favour, as well as other political events. The headlines resulted in public outcry for greater consumer protection whilst using social media and an increased appreciation for data privacy. Facebook stock prices fell dramatically as the breach hit news headlines worldwide, illustrating the blow Facebook’s reputation took.

Why is it Important to Adopt GDPR Best Practices?

As of 25th May 2018, the EU GDPR became a legal requirement. Compliance is therefore not a choice, but an obligation. GDPR is both beneficial for data subjects and the organisations that process their data.

Data breaches can badly affect data subjects, leading to emotional, physical and material damage, as well as putting them at increased risk of identity fraud. Conversely, data breaches can have crippling effects on the responsible organisation. The Information Commissioner’s Office (ICO) can issue fines up to €20 million or 4% of a business’s annual turnover, whichever is greater. Additionally, and as illustrated by the Facebook scandal, reputational damage can be as catastrophic as any monetary penalty. Data protection training and up-to-date knowledge of legislation can help mitigate these risks and protect both your business and those whose information it contains.

The General Data Protection Regulation (GDPR) is a European Union (EU) law governing the processing of personal data across the EU. Personal data is any information about identifiable, living people (known as data subjects). It is an extraterritorial law, meaning it operates both within the EU as well as outside of it for organisations that wish to provide goods or services into the EU.

ISO 27018 stands for ISO/IEC 27018 information technology – code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. It is all about how to protect personally identifiable information that is stored in the public cloud. The standards provide a compliance framework and seek to protect personal data from unauthorised use. The ISO 27018 builds on existing standards in security such as the ISO 27001 and ISO 27002 which set out more general security principles. The ISO 27018 however, is a highly specific set of principles seeking to address cloud-specific security.

What is the ISO/IEC?

The International Organisation for Standardisation (ISO) is an independent international organisation. It has 161 national standards bodies as members. Members share knowledge and develop voluntary standards for many industries such as technology, food safety and healthcare. The ISO/IEC is a joint technical committee between the International Organisation for Standardisation (ICO) and the International Electrotechnical Commission (IEC). It was formed as a merger in 1987 to develop baseline standards in the IT industry for other committees to build on. The ISO/IEC was responsible for forming the ISO 27018.

The General Data Protection Regulation (GDPR) is a European Union (EU) law governing the processing of personal data across the EU. Personal data is any information about identifiable, living people (known as data subjects). It is an extraterritorial law, meaning it operates both within the EU as well as outside of it for organisations that wish to provide goods or services into the EU.

ISO 27018 stands for ISO/IEC 27018 information technology – code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. It is all about how to protect personally identifiable information that is stored in the public cloud. The standards provide a compliance framework and seek to protect personal data from unauthorised use. The ISO 27018 builds on existing standards in security such as the ISO 27001 and ISO 27002 which set out more general security principles. The ISO 27018 however, is a highly specific set of principles seeking to address cloud-specific security.

What is the ISO/IEC?

The International Organisation for Standardisation (ISO) is an independent international organisation. It has 161 national standards bodies as members. Members share knowledge and develop voluntary standards for many industries such as technology, food safety and healthcare. The ISO/IEC is a joint technical committee between the International Organisation for Standardisation (ICO) and the International Electrotechnical Commission (IEC). It was formed as a merger in 1987 to develop baseline standards in the IT industry for other committees to build on. The ISO/IEC was responsible for forming the ISO 27018.

ISO 27001, created in 2013, is a framework for an information security management system (ISMS), which effectively helps an organisation with their data management, data protection, security procedures and preventive action for data breaches. By implementing ISO 27001 and becoming ISO 27001 certified, an organisation will have a secure starting point which will certainly help them become compliant with the European General Data Protection Regulations (GDPR). ISO 27001 covers the majority of GDPR requirements, therefore implementing ISO 27001 will contribute towards an organisation achieving GDPR compliance.

Which GDPR requirements does ISO 27001 cover?

GDPR encourages organisations to become ISO 27001 certified because its information security management system covers several GDPR requirements. ISO 27001 promotes information security awareness in an organisation, encouraging all staff members to be aware of the actions which need to be taken to protect personal data.

Article 32 of the GDPR states that data controllers and data processors should implement appropriate technical and organisational measures, and this can be achieved through implementing ISO 27001. The technical and organisational measures set out by the ISO 27001 comply with GDPR in several ways:

-Personal Data. The GDPR is established to protect personal data, and ISO 27001 sets out guidance for organisations to follow in order to manage personal data properly.

-To protect certain data, data encryption and pseudonymisation of data is needed. ISO 27001 decides which data needs to be encrypted, and which does not.

-ISO 27001 will ensure an organisation’s system which is used to process data, is made available to specific individuals involved in the data processing, yet also remains confidential.

-An evaluation process is needed to analyse how effective the security controls are in an organisation, ISO 27001 will use an independent third party to assess these security controls.

-GDPR requires an organisation to use risk assessments, and ISO 27001 can provide for this.

-In the incident of a technical problem, ISO 27001 provides controls which will restore access to personal data and ensure there is availability and access to critical data, ensuring that no data is lost form the organisation.

-GDPR states that if an organisation is in co-operation with a third party which processes their data, then both the data controller and data processor need to be GDPR compliant. ISO 27001 provides third party risk management.

-GDPR requires an organisation to notify data protection authorities within 72 hours of a suspected breach, as well as the data subjects who have been implicated. ISO 27001 explicitly covers this breach notification process.

If an organisation is ISO 27001 certified, does it mean they are completely GDPR compliant?

If an organisation is ISO 27001 certified, it does not mean that they are completely GDPR compliant, as ISO 27001 does not cover every GDPR requirement. For example, it doesn’t cover the fundamental rights of data subjects, nor does it cover data portability processes, nor does it cover the right of a data subject to have their personal data destroyed when an organisation no longer needs it. It is beneficial to become ISO 27001 certified as it creates a very strong starting point for an organisation, you can then conduct an EU GDPR GAP analysis, to decide what other measures need to be taken in order to become GDPR compliant.

How does ISO 27001 differ to others?

In relation to ISO 27002, ISO 27001 differs as you can become certified by ISO 27001. This is because ISO 27001 is a management standard, which defines how to conduct a system, such as an information security management system (ISMS). So, the specific steps and assessments needed to carry out an ISMS is stated in ISO 27001.

However, ISO 27002 is far more detailed, and is not a management standard, therefore an organisation cannot become ISO 27002 certified. The series of ISO 27000 all have a particular focus, so if an organisation wants to know about how to implement controls, then they should use ISO 27002.

In relation to Cyber Essentials, the UK government’s programme used to protect organisations from data threats, ISO 27001 differs. Cyber Essentials sets out controls to protect a company’s IT system and demonstrates that these precautionary steps have been set out. The difference here, is that ISO 27001 refers to all personal data stored, from paper forms to digital media within an organisation, whereas Cyber Essentials only handles personal data stored on IT systems.

To ensure your organisation is GDPR compliant, using ISO 27001 as a starting point is wise, as it covers so many of the GDPR requirements and offers essential guidance. Therefore, ISO 27001 ultimately helps an organisation avoid a data breach and its consequences.

Related Courses

In this article:

  • What does GDPR stand for?
  • Why is GDPR important?
  • Who does GDPR apply to?
  • The key aspects of GDPR
  • Why was GDPR needed?
  • Does GDPR replace the DPA?
  • How to become GDPR compliant

What does GDPR stand for?

GDPR stands for General Data Protection Legislation. It is a European Union (EU) law that came into effect on 25th May 2018. GDPR governs the way in which we can use, process, and store personal data (information about an identifiable, living person). It applies to all organisations within the EU, as well as those supplying goods or services to the EU or monitoring EU citizens.
Therefore it is essential for businesses and organisations to understand explicitly what GDPR means. It is the legislative force established to protect the fundamental rights of data subjects whose personal information and sensitive data is stored in organisations. Data subjects will now have the right to demand subject access to their personal information, and the right to demand that an organisation destroys their personal information. These regulations will affect most sectors within business, from marketing to health services. Therefore, to avoid the crippling fines administered by the Information Commissioner’s Office (ICO) it is essential to become GDPR compliant.

GDPR Key Principles:

  • Lawfulness, transparency and fairness
  • Only using data for the specific lawful purpose that it was obtained, the most lenient of which is legitimate interests
  • Only acquiring data that we strictly need
  • Ensuring any data we possess is accurate
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

Why Is GDPR Important?

Primarily GDPR is important since it provides a single set of rules for all EU organisations s to adhere to, thus giving businesses a level playing field and making the transfer of data between EU countries quicker and more transparent. It also empowers EU citizens by giving them more control over the ways in which their personal data is used.
Prior to introducing the new GDPR legislations, the European commission found that a mere 15% of citizens felt that they had complete control over the information that they provided online. With such low trust amongst the general public it is clear that consumer habits will ultimately be affected. Measures to rebuild this confidence, through introduction and proper implementation of GDPR, are expected to increase trade.
Thorough implementation of data protection policies and staff education are important as non-compliance could result in a data breach. The Information Commissioner’s Office (ICO) can issue fines of up to 4% of your annual turnover or €20 million, whichever is greater, in the event of a serious data breach. Data protection training is a necessity in mitigating the risk of data breaches.

Who Does GDPR Apply To?

The General Data Protection Regulation (GDPR) governs the way in which personal data is gathered and handled in the European Union (EU). Personal data is defined as any information relating to an identified or identifiable, living person. GDPR applies to any individual or organisation that handles personal data within the EU. Countries outside of the EU that handle personal data are known as ‘Third Countries’ under GDPR. They may have their own data protection legislation but they are required to comply with GDPR in the following circumstances:
When supplying goods/services to the EU
When processing data about citizens residing within the EU

The key aspects of GDPR:

GDPR has replaced the 1995 Data Protection Directive, which established minimum requirements for data protection across Europe. This moderate approach to data protection, prior to 2018, led to a series of data breaches and scandals, allowing the compromise of data subjects’ personal information. Now, the changes established in the GDPR will provide better protection of data subjects’ fundamental rights.

  • Extended Jurisdiction: The GDPR now applies to any organisation which processes personal data of data subjects who are in the EU. This means that GDPR applies to big and small organisations, in and outside of the EU.
  • Consent: There is a strict focus on consent, it has to be specific and clear.
  • Right to Access: A data subject can issue a subject access request to view their personal information, and an organisation must comply.
  • Right to be Forgotten: A data subject can demand that their personal information is destroyed by a data controller.
  • Data Protection Officer: Data controllers are now expected to have a DPO in their team, to ensure data protection regulations are being upheld.
  • Penalties: The ICO can now issue much harsher repercussions for a data breach, this includes fining an organisation up to €20 million or 4% of an organisation’s global turnover, whichever is highest.
  • Why was GDPR needed?

    Society is now more data-driven than ever, therefore the vast amount of sensitive data stored upon computers, has resulted in a rise in cyber-attacks and data breaches.

    Phishing Emails

    Phishing is one of the key ways that cyber-criminals can infiltrate personal information using scam emails, and even alter bank details and account details. The common nature of this sort of cyber-attack has now resulted in GDPR being essential to prevent it from happening so often.
    Organisations need to be aware of emails which might contain viruses, to protect their company’s IT network. If a virus manages to infiltrate an organisation’s hard drive, then personal information of customers and employees will be compromised, and a data breach will occur.
    Organisations should implement email encryption, so that personal information included in the emails can’t be infiltrated by cyber hackers. A data controller can use a secure email gateway to prevent emails containing malware, phishing attacks or spam, from reaching an organisation. Consequently, to be GDPR compliant an organisation needs to organise the installation of a secure email gateway to monitor their emails.

    Office 365 and GDPR

    Many organisations and businesses use Office 365’s software to store vital information, such as tables with employee personal data and sensitive data, business contracts and annual reviews. Therefore, Office 365 have the responsibility to ensure this data is protected.
    Office 365 utilises a cloud software, therefore up to 85% of businesses store their data in the cloud. Despite this data being stored in a cloud, Office 365 still need to remain GDPR compliant. To do so, Office 365 have utilised auto-label policies and intelligent content searches to help locate personal information easily. Therefore, Office 365 has proved its GDPR compliance, through ensuring personal data is transparent and easy to locate.

    End User Consent

    The GDPR has imposed tighter control on end user consent, when processing personal data. The GDPR takes the stance that a data subject must be informed of the processes which will be used to store their personal data. Subsequently, it will then be the data controller’s responsibility to make the processing of personal data available to the data subject. The user will then be able to put an end to their consent, once they feel that a data controller no longer needs their personal information, or that there may be harm to the personal information.

    Two-Factor Authentication

    Article 32 of the GDPR stipulates that an organisation should apply technical measures to protect personal information, such as through two-factor message authentication. This two-factor message authentication should be applied to systems which process personal information, such as mobile devices which should be encrypted.
    GDPR should not intimidate organisations, because if the regulations and safeguards are implemented clearly, there should be no problems and no reason for the ICO to get involved.

    Does GDPR replace the DPA?

    The Data Protection Act (DPA) 1998 was superseded by the European Union (EU)’s General Data Protection Regulation (GDPR) on 25th May 2018. Prior to 25th May 2018, the ruling UK data protection legislation was the Data Protection Act (DPA) 1998. The DPA was brought in at the end of the 20th century as computers became increasingly commonplace in businesses. However, by 2018, the DPA was admittedly outdated and no longer reflected the digital/technological age in which we live. For example, a vast proportion of individuals in the UK use social media, many of us possess more than one digital device (phones, tablets, laptops), and almost all businesses rely on computer networks. The digital world that we live in has changed the way we process information, and the laws were updated accordingly.

    How to become GDPR compliant

    In order to become GDPR compliant, you must first understand the rights of the individual granted by the legislation. They are as follows:

    • Right to be informed of how your data is being processed
    • Right to access this data
    • Right to rectify incorrect data
    • Right to erase data
    • Right to restrict processing of personal data
    • Right to data portability – this means that as a business you will need to put in place a system by which you can quickly and easily compile all the personal data you hold on an individual and make it securely accessible to them
    • Right to object to your data being processed
    • Rights relating to automated decision making, including processing

    Organisations must then identify their role in the flow of data, e.g. are they a data controller or a data processor? Data controllers determine why personal data will be used and what for. Data processors are individuals or companies that process personal data on behalf of the data controller.
    Whilst data controllers have retained ultimate responsibility for protecting their data, data processors too are required to comply with GDPR when processing and storing personal data. Data controllers should draw up a written contract agreeing that their processors will comply with their data policies and ensure it is signed by all third parties.

    Under GDPR, it is important to identify the lawful basis for processing personal data. The acceptable reasons are:

    • Consent
    • Contract
    • Legal obligation
    • Vital interests
    • Public task
    • Legitimate interests

    When processing special category data, sensitive personal information, the grounds on which it can be lawfully used differ. Processing requires both a lawful basis and a special category condition.
    The GDPR requires some organisations to appoint a Data Protection Officer (DPO). A DPO is removed from the daily processing activities of your organisation but is responsible for ensuring GDPR compliance. You must appoint one if: you are a public authority; perform regular large-scale monitoring of individuals as a core activity; conduct large scale processing of special category data or information on criminal convictions/offences as a core activity.
    Businesses must conduct a Data Protection Impact Assessment (DPIA) if a processing activity is likely to result in a high risk to individuals. This is intended to identify and minimise risk to individuals’ personal data. The risk assessment considers both the likelihood and severity of impact of the risk. If whilst conducting a DPIA you identify a high risk which you cannot mitigate, you must inform the ICO.
    Consent is also more tightly regulated under GDPR, meaning that businesses need to familiarise themselves with these new requirements. Consent must be freely given, clear, specific, unambiguous, and indicated by a positive affirmative action. Any consent you have obtained in the past needs to meet these requirements too and must be reobtained if not.
    Stating GDPR compliance is no longer enough, it must now be demonstrated. You are required to issue a privacy policy to inform your data subjects how their personal data will be used. You should also draw up a plan for if a data breach occurs.

Related Courses

The General Data Protection Regulation (GDPR) came into effect in May 2018. It regulates the use of personal data (data relating to any identifiable, living person) across the EU. Not only does GDPR apply to companies operating within the EU, but also to companies who provide goods or services to organisations/individuals within the EU. The GDPR has modernised digital data protection, increased transparency, and extended the rights of the individual. The UK implementation of the GDPR is known as the Data Protection Act 2018, for which the Information Commissioner’s Office (ICO) is responsible for enforcing compliance.

Main GDPR Principles:

The cornerstones of the GDPR are the principles listed below:

  • Lawfulness, transparency and fairness
  • Use limited to the purpose for which it was obtained
  • Data minimisation
  • Accuracy
  • Limitations on storage
  • Confidentiality and integrity
  • Accountability

Individual Rights:

Data subjects are persons whose personal data is gathered, stored, and processed. Once data is gathered about a subject, it is then out of their control. This is why GDPR has extended the reach of data protection rights for the individual; these are as follows:

  • The right to access
  • The right to correction
  • The right to erasure
  • The right to processing information
  • The right to processing restriction
  • The right to data portability
  • The right to object to automated individual decisionmaking and profiling
  • How Will GDPR Affect Your Company?

    A Data Protection Officer (DPO) is an external individual, removed from the daily processes of your company, who is responsible for ensuring GDPR compliance. Not all companies are required to appoint a DPO, however all are at liberty to do so. You are required to employ a DPO in the following circumstances:

    • You are a public authority
    • Your core activities require regular, large scale monitoring of individuals
    • Your core activities require large scale processing of special category data or data relating to criminal convictions/offences

    Small and medium-sized enterprises (SMEs) are companies with less than 250 employees and, unlike larger organisations, they are not required to document all of their processing activities. The activities that require documentation are as follows: regular activities, activities that could risk the rights/freedoms of an individual, special category data processing, processing of data regarding criminal offences/convictions.

    Special Category Data

    Sectors that handle special category data, such as healthcare groups, legal firms, and religious organisations have come under close scrutiny following the launch of GDPR. Special category data is a type of personal data which is highly sensitive and subject to additional restrictions. Such data includes: health information, race, religious beliefs, political opinions and biometric data. Organisations that process this data must have an additional condition allowing them to process it, e.g. explicit consent.

    Importance of GDPR for Your Company

    GDPR compliance is vital within your company as the dire alternative is a data breach, with massive consequences for your organisation and its data subjects. Good GDPR practices, on the other hand, can give you a competitive advantage, enabling well-founded trust in your company for both your customers and your employees. Additionally, you will ensure the security of your company, which is more crucial than ever due to an increasing prevalence of data breaches. Data protection training is crucial in ensuring compliance and protecting your company.

The General Data Protection Regulations (GDPR) will certainly affect the conduct of cold calling, but it will not stop organisations from using cold calling to contact customers. Cold calling requires an organisation to process personal data, therefore GDPR will change the process to ensure that personal data is processed lawfully and fairly.

Therefore, businesses which use cold calling as a tool for direct marketing, need to be aware of how to change their procedures to be GDPR compliant.

Direct Marketing and Cold Calls

Cold calls can be used as an outbound marketing strategy, as they allow an organisation the opportunity to directly contact a customer. This phone call can help initiate consumer interest into an organisation’s product and aid lead generation.

Lead generation now needs to be GDPR compliant, therefore an organisation needs to document their materials used to create leads, such as contact forms.

Balancing Test

Article 6 of the GDPR explains the lawfulness of processing, and how an organisation can use personal data. Therefore, organisations using cold calling must examine Article 6 to decide how they can use personal data.

A data subject needs to have given an organisation specific consent to use their personal data, such as consent to contact them via email to advertise a product. Subsequently, Article 6 (1) (f) allows an organisation to translate this consent through using legitimate interest, allowing them to then contact a data subject via telephone, but only if the interests are not overridden by the freedoms or rights of a data subject.

Recital 47 of the GDPR addresses legitimate interest, which can be used as a justification for the processing of personal data in direct marketing. However, legitimate interest requires a ‘balancing test’ to compare the interest of the organisation against the interest of the data subject. The balancing test is needed, if an organisation is going to rely on the legitimate interest clause to conduct cold calling. Documentation of this balancing test needs to occur, if an organisation wants to protect itself from a fine.

The balancing equation references the organisation’s interest, in balance with the data subject’s interest. For example, an organisation’s interest is advertising a product to a customer via phone call. Whereas, a data subject’s interest is the protection of their personal data and the upholding of their fundamental rights.

An organisation using cold calling needs to consider whether it will directly impact the data subject negatively.

The balancing test will demonstrate that an organisation has considered the data subject’s fundamental rights, and in effect has complied with regulation. It will also improve the reputation of the organisation, as they will be known for their GDPR compliance and therefore data subjects will not feel harassed by receiving cold calls.

Cold Emailing

Cold emailing is another tool used for direct marketing, as it allows an organisation to directly communicate with a customer. Like with cold calling, cold emailing will be affected by GDPR, and an organisation will have to alter their procedure to become GDPR compliant.

You will need to have the consent of a data subject, which is freely given, specific, informed and unambiguous, in order to email them. This consent will need to be explicit, so that your organisation can prove that consent was achieved, if necessary.

There should be an explicit reason for sending an email to a recipient, one which is connected to them. If a cold email is sent out, for example having been given the go ahead internally under legitimate interest for example then there needs to be an option to withdraw from the email communication, via an “opt-out” mechanism.

If an organisation wants to remain GDPR compliant, then they need to be well trained with their marketing strategies, to ensure cold calling and cold emailing are conducted in the appropriate fashion.

There are two stages towards becoming GDPR compliant: creating a strategy which is specific to your business, and subsequently implementing your business’ pre-determined strategy in time for the implementation of the General Data Protection Regulations by 25th May 2018.

Creating a strategy to prepare for GDPR:

Here are 6 steps you could apply to your GDPR strategy:

1-Connect your varying sources of data together to form one singular bank of data, this needs to be easily accessible for each member of the organisation, if they handle personal data, to locate

2-Decide the roles in your organisation, who is: the data processor, the data subjects and the data protection officer (DPO)

3-GDPR has been formulated to protect data subjects’ rights, therefore you need to enact the safeguards stated in the GDPR

4-Make your data management transparent, demonstrate why and how you carry out your procedure, so that you have evidence and justification if you are questioned about your data management by the Information Commissioner’s Office (ICO)

5-Use an audit trail to track and document all of your data management actions, such as how you received consent, then how you documented and processed this consent afterwards

6-Finally, note where your non-compliance risks are. For example, do you have the right subject access request procedures in place to allow a data subject to access their personal data? Note down where the areas are in your data management strategy which could be at risk of non-compliance and pay extra detail to these areas.

Essential use of enterprise architects:

Dr Tim O’Neill, founder of Avolution, a global provider of Enterprise Architecture, states that the use of enterprise architects and risk and compliance professionals, is needed in a business to help create an effective GDPR strategy.

Enterprise architects can help to adapt the IT of a business to coincide with the GDPR strategy, this will create a more efficient base to work from.

Sector specific GDPR strategies:

Asos.com, the online British retailer, demonstrated their efficient GDPR strategy through releasing an email to their customers to notify them of their new data protection regulations. These emails offered customers an “opt-in” mechanism, as well as an “opt-out” mechanism, making explicit options for consent. As demonstrated by Asos.com, a GDPR strategy can be straight forward if you start early, so start with you re-permission campaigns to achieve specific consent from your customers.

Protiviti, the UK risk and business consultancy firm, have published a guide to help with building a compliance strategy for businesses. There is a lot of GDPR advice circulating, therefore there is no reason not to be ahead of the industry, especially if your business wants to avoid the crippling fines which will be issued by the Information Commissioner’s Office (ICO).

How can my business implement changes for GDPR?

Once the GDPR strategy has been created, it is time to implement it as quickly as possible to avoid censure.

Correct implementation of you GDPR strategy is needed to mitigate the risks of a data breach. If a data breach occurs, the ICO can fine your business up to €20 million or 4% of an organisation’s global turnover, whichever is highest. The first GDPR data breach occurred with Ticketmaster, an American ticket sales and distribution company, in June 2018, which is currently being investigated by the ICO.

Sainsbury’s, the second largest supermarket chain in the UK, has been credited for its successful GDPR implementation and compliance. The Chief Data Officer, Andy Day, spoke out about Sainsbury’s GDPR strategy, and notes that for the time being, they are focusing on being compliant and demonstrating how trustworthy their organisation is.

A re-permission email was sent out to Sainsbury’s customers asking them explicitly if they would still like to receive emails from Sainsbury’s, effectively re-gaining their consent.

Sainsbury’s have made suggestions of going one step further, to gain a competitive edge over their rivals in their industry and creating a system of complete transparency for customers. This would assume the form of a system which would allow Sainsbury’s customers to log on and view their data which is being used by Sainsbury’s, for example to work out their shopping habits. Although this is only a current suggestion, it does demonstrate Sainsbury’s being proactive in enforcing their GDPR compliance.

Therefore, if an organisation establishes a well prepared GDPR strategy, then the implementation of this strategy should ensure GDPR compliance is achieved.