Click on the links below to jump to the relevant questions:
What are the current information security regulations for businesses?
Organisations in the UK must currently operate under the Data Protection Act 1998 (DPA) and the recently introduced Data Protection Bill. However, as of 25 May 2018 the DPA will be replaced by the General Data Protection Regulation (GDPR).
For further information about the current regulations and the GDPR, see our guide.
What is the Data Protection Act?
The Data Protection Act (DPA), created in 1998 and introduced in 2000, is designed to protect individuals’ personal data stored electronically and on paper, and to give legal rights to people who have information stored about them.
If your business possesses personal data about your clients, employees, suppliers or other stakeholders, you are legally obliged to protect that information under the DPA.
Why is the Data Protection Act being replaced?
When the Data Protection Act (DPA) was introduced in 2000, only large organisations had the means to collect and store significant amounts of data. But since then, advancements in technology mean data collection is easier and more sophisticated, enabling many small and medium businesses to do it too. As a result, data thieves have seized the opportunity and in 2016, UK companies lost more than £1bn to cybercrime. Therefore the DPA is now considered out of date and tighter, more comprehensive law is needed to protect personal data.
When is the DPA being replaced?
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018.
What are the main changes?
It’s worth taking a look at the Information Commissioner’s Office (ICO) website for a detailed overview of the GDPR and what you can do to prepare for it. However, we’ve identified the key changes that organisations should be aware of:
- Regulatory fines — to be increased to a maximum of €20,000 or 4% of global turnover with a two-tier fine system introduced.
- Accountability — companies will need to justify, document and evidence their actions and decisions.
- Data protection officer — this will be necessary for public authorities and organisations that carry out large-scale systematic monitoring or large-scale processing of specific categories of data.
- Privacy by Design — the use of this approach must be proactive rather than reactive.
- Consent — this will be more difficult to obtain and must be clear and recorded.
- Data processors — accountability for processors (those who process data on behalf of the data controller) will be increased.
- Expanded territorial reach — the GDPR considers not only the location of the data processing, but the location of the subject of the data, which marks a significant expansion of the reach of data protection.
- Data subjects’ rights — giving individuals complete control over their personal data, including:
- right to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- rights in relation to profiling
- Fair processing/privacy notices — further information will be required and should be concise, transparent, easily accessed and free of charge.
- Breach reporting — a notifiable breach will need to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. Robust breach detection, investigation and internal reporting procedures will be highly important.
- Registration requirements — there will be no requirement to register with the Information Commissioner’s Office.
What is meant by the data ‘controller’ and ‘processor’ in the regulations?
Both the Data Protection Act (DPA) and the General Data Protection Regulation (GDPR) refer to data ‘controllers’ and ‘processors’. The definitions are broadly the same under both sets of regulations, in that the controller is responsible for how and why personal data is processed and the processor acts on the controller’s behalf.
The GDPR will apply to both controllers and processors — in fact, the new regulations will see greater accountability placed on data processors than there is currently. For example, you’ll be required to maintain records of personal data and processing activities, and will have significantly more legal liability if responsible for a breach.
Will the GDPR still apply when the UK leaves the EU?
The government has confirmed that the UK’s decision to leave the EU will not affect the introduction of the GDPR in May 2018. It has made clear that it will adopt the new law or bring in an equivalent to allow trade to continue.
The Information Commissioner’s Office (ICO) has acknowledged “there may still be questions” around the GDPR post-Brexit, but says “this should not distract from the important task of compliance with the GDPR”.
Do the new regulations only apply to electronic data?
Although the primary focus of the GDPR seems to be on cyber security, it’s equally important to remember the importance of paper documents, records and files. After all, any data stored on a computer can be printed, thus creating a hard copy of that information. And many organisations have paper files dating back several years which, under the GDPR, will need to be destroyed.
There are a number of practical considerations around paper documents ahead of the GDPR, which can be explored in our guide.