Update: Since this article was published in January 2016, the UK has voted to leave the European Union. Accordingly, there has been confusion surrounding the adoption of the General Data Protection Regulation (GDPR). Readers may also want to read a new blog on the issues surrounding GDPR and Brexit.
If you are involved in data protection for your organisation, you may feel like you are facing change and uncertainty in equal measure – and you’d be right.
While you’ll need to know about the Data Protection Act, you may also be aware of recent changes to the Safe Harbor arrangement affecting the international storage of data in the US. In addition, the European Commission plans to unify data protection within the European Union (EU) with a single law, the General Data Protection Regulation (GDPR).
This article guides you through the Data Protection “essentials” with links for further information. We conclude with a checklist to help you ensure best practice now – and in readiness for the changes that are coming.
The Data Protection Act
The Data Protection Act 1998 controls how personal information can be used and our rights to ask for information about ourselves. If an organisation handles personal information about individuals, it has obligations to protect that information under the Data Protection Act.
Organisations can be fined up to £500,000 by the Information Commissioner for serious contraventions of the Data Protection Act. As an example, a serious contravention could be the failure of a data controller to take adequate security measures, such as encrypting files or devices that results in the loss of personal data.
To demonstrate this, on 4 Nov 2015, The Crown Prosecution Service (CPS) was fined £200,000 after laptops containing videos of police interviews with victims and witnesses were stolen from a private film studio. The CPS sent data on an unencrypted CD/DVD, which the film company then put on an unencrypted (and not locked down/hardened) laptop.
- The requirement to notify (register)
The Data Protection Act requires every data controller (from sole trader to large organisation) who is processing personal information to register with the ICO, unless they are exempt. More than 400,000 organisations are currently registered. Failure to notify is a criminal offence and is the responsibility of the data controller.
In order to check if your organisation (or one that you may be working with or for) has been notified, search the public register .
- The eight data protection principles
The Information Commissioner’s Office publishes a guide for those who have day-to-day responsibility for data protection. It explains the purpose and effect of each of its data protection principles, gives practical examples and answers frequently asked questions.
For brevity purposes, we won’t list them in full – you can find a summary on the Information Commissioner’s Office website.
However, of particular relevance is Principle 7 – covering information security.
This principle asks if you have pragmatic, appropriate and cost-effective security measures in place to protect the data that you hold.
For example, consider the Confidentiality, Integrity and Availability of your data:
- Confidentiality: What are you doing to prevent unauthorised access? How do you enforce the “Need to Know” principle?
- Integrity: What are you doing to prevent the data from being altered accidentally or in an unauthorised manner?
- Availability: What are you doing to ensure that the data is available when required for the purpose for which it is kept? Is the data backed up? Do you have access controls in place?
International considerations and Safe Harbor
If you intend to transfer personal data outside of the European Economic Area (EEA), restrictions will apply.
Principle 8 of the Data Protection Act says “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
In October, the European Court of Justice ruled that the 15-year-old Safe Harbor agreement was invalid in that it would not restrict the US national supervisory authorities – powers from accessing personal data to the same extent as those within the EU. As such, US data protection was not equivalent to the fundamental rights and freedoms guaranteed with the EU.
The upshot is that, if you are a EU-based organisation currently transferring personal data to the US, you may need to source an EU-based alternative but the advice from ICO is not to panic . No doubt because of the uncertainty around the Safe Harbor ruling, both Amazon and Microsoft are in the process of either opening or partnering with European-based options to provide alternatives to their US-based servers.
The deadline for the EU agreeing on a solution with the US is now expected to be the end of January 2016 – but may be delayed further. With Safe Harbor, you need to “watch this space”.
The EU General Data Protection Regulation (GDPR)
The GDPR is not expected to come into force until 2018 but when it does, it will extend the scope of the EU data protection law to all foreign companies processing data of EU residents. Described by SC Magazine as “another earth-shaking shift in EU data protection”, organisations will soon be required to comply with tougher rules to prove they actively protect personal data.
What’s more, breaching the new regulations could incur severe penalties of between 2% and 4% of worldwide turnover, depending on whether the European Commission or Parliament has the final say.
Perhaps the most controversial aspect of the GDPR is the “right to be forgotten”. For most companies that handle consumer data, this is effectively the right to have it erased. A particular headache is that it could apply to data collected back in the data subject’s childhood. If this data is now stored elsewhere, then it will still need to be erased.
Another proposal in the GDPR concerns the time given to respond and comply. A Data Protection Officer (DPO) is supposed to be responsible for creating access controls, reducing risk, ensuring compliance, responding to requests, reporting breaches – within 72 hours. Is this realistic in practice? What does it mean for staffing and accountability?
One thing we can be sure about is that compliance with the proposed new regulations is expected to increase organisational costs – but, with the hefty penalties facing organisations that fail to comply, might the cost of non-compliance be even higher?
The GDPR is discussed in more depth in this article from SC Magazine.
Data protection checklist
We believe the following recommendations are best practice for data protection, irrespective of compliance with legal requirements. However, reviewing where you are now will give you time to address any issues and ensure your organisation is ready for the GDPR.
- Write a policy that describes how you are managing personal data in line with the requirements of the eight principles of the Data Protection Act.
- Produce a Privacy Impact Assessment (PIA) so that you can identify the risks and mitigate them in order to reduce the risk of harm to individuals through the misuse of personal information.
- Consider implementing the principles of “Privacy by Design”. Rather than data security being an afterthought, design your systems to cater for the protection of personal data from the outset. This guide will help you get up to speed with Privacy by Design.
- Define your storage location. Many businesses are not entirely sure where all their data is actually stored. The GDPR will specify precise guidelines on the storage and gathering of data – so you’ll need a clear understanding of where yours is.
- Determine access. Understand who has access to your data and ensure that robust controls are in place to secure and manage this access.
- Assess the risk. It is always wise to identify potential risk areas and develop systems and solutions to address any shortfalls. Ascentor has written extensively on the topic of Risk Assessment – you’ll find articles on both why and how to do them here.
For further information
If you’d like to discuss how our consultants could advise on any aspect of data protection, please contact Dave James at Ascentor.
If you have found this article of interest, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.