General Data Protection Regulation (GDPR) to bring seismic shift

By Phil Brining

In the first of a series of blogs to explore the GDPR and its implications DPP’s Phil Brining explores the long-awaited Regulation.

The General Data Protection Regulation is the sort of document that one needs to read more than once to get a really good feel for it.  The Regulation comprises 91 Articles; each Article in the main containing several clauses.  In general, I like the document – it’s well-structured and pretty easy to read.   It’s actually a lot easier to follow than the Data Protection Act and having read through the text a couple of times the juggernaut hammering towards us is plain to see!

I don’t want to be alarmist but I exaggerate not.

There are some massive changes contained in the Regulation.  Some of the material is familiar – such as the concept of “data subject, data controller, data processor etc.”; some is similar to the Data Protection Act – such as Data Protection Principles; and some is brand new like many of the statutory obligations on data controllers and data processors, new powers for the ICO or its replacement authority, and new rights conferred on data subjects.  Even the familiar stuff contains new twists: there are only six data protection principles for instance rather than the familiar eight.  But the first principle adds the words “and in a transparent manner” to the familiar fairly and lawfully.  The sixth principle is brand new, Personal data must be: “processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation”.  Wow!?

I’ve heard people rejoicing the demise of the requirement to Register with the Information Commissioner – but Article 14 sets out the bones of a replacement mechanism for providing similar information to data subjects. Article 14(c) requires data controllers to provide data subjects with an indication of the period for which the personal data will be stored.  This strikes me as putting pressure on database vendors to enhance the metadata around records to enable a robust retention policy to be implemented.  And just in case you might think that retention policies might be a minor point to the regulator – the stratified sanctions in Article 79 detail a fine of up to Euro 500,000 or 1% of annual worldwide turnover for intentional or negligent failure to comply with a bunch of Articles including Article 14!  And these are the middle-ranking fines.  Given the regulator’s new powers to enter premises and access equipment (Article 53 (2)) – there is a very strong case emerging for getting properly organised for the Regulation pronto!

Perhaps the biggest change contained in the GDPR which will come as no surprise to those who have followed its progress through the legislative process is the onus being placed squarely on data controllers and data processors to be able to demonstrate how they are complying with the Regulation.  In several clauses, the GDPR refers to “documentation”, “audit and compliance controls”, “reasoned justification”, “evaluation of the risks”, “description of mechanisms” etc. and several articles set out the need to have a well-organised business operation in respect of data protection and privacy.  I have been working in the data protection field for over a decade and I have not yet seen anything that comes close to what will need to be implemented and operational within the two-year lead-in period – i.e. by 2018.

There are provisions that attempt to spare micro, small and medium-sized organisations from some of the necessary internal bureaucracy but, if you are in a pubic authority, or an enterprise employing more than 250 people, or an enterprise employing fewer than 250 people who are only processing personal data as an ancillary business activity – you need to start reading up on the Regulation.

The GDPR will bring many benefits but it will take a few painful years I fear.  It will create a far more certain environment in which to be processing data.  It will bring data processing operations under the same types of management and process control as other business processes and it will actually make our lives a lot easier.  But the transition could be hard work and tricky.

Data Protection People will be running a regular Blog to encourage discussion, consideration, and understanding about the changes but please contact us if you have any questions.

Contact Us

Send us a Message









Data Protection Project
GDPR Gap Analysis/Audit/Review
Outsourced Privacy Officer/DPO
Support Desk
SAR Support
PCI DSS
ISO27001/27701
Cyber Maturity Assessment
NIS Regulations
Information Governance Documentation
DataWise System
Other

We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


IMPORTANT INFORMATION

We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link https://ico.org.uk/make-a-complaint/nuisance-calls-and-messages/spam-texts-and-nuisance-calls/.  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here https://www.tpsonline.org.uk/register.

We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here https://ico.org.uk/action-weve-taken/enforcement/.

Data Protection People Limited – March 2021