I am here to alleviating worries, General Data Protection Regulation (GDPR) laws are not as scary as many of my clients believe. I should point out that I am not a lawyer, I am not practising law and my opinion is my own.
Saying this I am pretty knowledgable of data protection, I would go as far as to say I have always loved the data protection acts in the UK. They have been part of my life since the very first time I built a website and started working/volunteering for membership organisations in 1997.
The GDPR regulations were seven years in the making and were the replacement for the data protection from 1995 as you will know technology had changed dramatically between 1995 and 2018, and the 1995 regulations had just failed to keep up.
The UK’s regulation body Information Commissioners Office (ISO) they did their best to lay out the groundwork for organisations so they could be prepared for the release of the new law and regulations.
On 25th May 2018 the General Data Protection Regulation (GDPR) regulations in EU law on data protection and privacy in the European Union and the European Economic Area were released.
And suddenly everyone was scared and panicky, the fact that many of the rules and regulations that were set out existed before did not seem to matter, and the press went ‘nuts’ telling everyone that they were going to lose their shirts when it ‘all went wrong’.
“Any breach of data from a company will immediately incur fine of up to £23.6 million or 4 percent of the business’s total worldwide annual turnover, whichever is higher.” The Express 24 May 2018
“Companies can be fined up to 4% of annual global revenue, but it will come down to how regulators in individual countries choose to enforce the law.” The Guardian 19 April 2018
With quotes like the above no wonder my clients tend to panic, a huge fine has the possibility of shutting down any type of organisation, the thing is the servility of a fine only comes if your organisation has done something intentionally wrong for the most part.
Abuse or a Breach
The thing is the GDPR regulations are fairly good at what they do. They prevent people and organisations abusing peoples personal data. The majority of fines the ICO has enforced are from organisations who have not asked permission to use personal data or have abused permissions to use data collected.
This is very different from an organisation like many of my clients who is using people personal data with their user’s permission, in the correct way. The worst thing that can happen to these organisations is a breach.
What is a personal data breach? A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.ICO Personal Data Breaches Page
What happens if there is a ‘Breach’?
Organisations can get fined for doing something irresponsible but if they deal with a ‘breach situation’ in a sensible manner there is only a very slight chance of a fine coming their way.
There are strict rules about reporting a ‘breach’ but basically the rules are:
Inform work out what has happened and how. All organisations (they have a duty of care to their users) need to report certain types of personal data breach to the ICO within 72 hours.
Prevent Work out how the data breach can be prevented from happening again and implement this solution.
Report to the relevant parties, this includes anyone whos data had been breached, they need to know what happened, what you have done about it and how it will be prevented from happening in the future. I think it shows courage and confidence for organisations to include a link to the ICO to show you have taken all the relevant steps.
My cautionary story here is that if you are sending out the same email to multiple users please remember to use BCC (Blind carbon copy allows the sender of a message to conceal the person entered in the Bcc field from the other recipients). Otherwise, your organisation stands a fairly good chance of creating a second breach by sharing multiple email addresses.
On that note, I should point out one of the reasons I personally love the GDPR regulations is that I get far less spam and because I am informed I know how to prevent my personal data from being abused.
GDPR was and is necessary although during the current world crisis (Covid-19) governments have chosen to use their discretionary powers to ignore many peoples personal data rights. Although I understand why this has happened, I can’t bring myself not to see it as a little scary. Kind of reminds me of the phrase “the greater good”. Edit: one week has gone by and it seems I am not the only one as the BBC published this 20 July 2020.
But this is not the place for fear, this is my blog for my freelance work. And for the most part, I do love GDPR when organisation adhere to it. I don’t think it goes quite far enough for certain venerable groups including children’s rights but it is a good starting point.