Data Protection FAQs Answered

IG Smart recently conducted some simple Google Analytics research to discover what the most commonly asked questions about data protection are.

Here are the top 4 questions that people are asking…

• what is data protection?
• why is data protection important?
• what is a eu directive?
• where can I find information on data protection?

Interestingly, our research also revealed that more people are asking (Google) about data protection than ever before.

Why the increase in interest in data protection?

Our guess that this is because:

• under the new EU General Data Protection Regulation (GDPR – which comes in to force across the EU and UK on the 25th May 2018), organisations that breach privacy data protection and laws face being fined 4% of their global annual turnover or £20 million (whichever is greater), per data breach.
• there has been a marked increase in media coverage about data protection with high profile breaches hitting the headlines in abundance. From national security leaks from Edward Snowden, to those embarrassed by being exposed on when the Ashley Maddison website was hacked.

The following brief and simple guide will answer each of the 4 questions above, and point you in the right direction for further guidance, which can help you to prepare for the far-reaching impact of GDPR.

1. What is data protection?

Data protection is about ensuring that all confidential and sensitive personal data within your possession (whether you own it or not) is used lawfully and securely.

In simplified terms of the UK Data Protection Act 1998 (DPA) this means you must:

• fairly notify people about how you specifically intend to use their data
• obtain consent to process personal data (whether express or implied)
• keep personal data confidential, accurate, complete and up to date
• restrict access to personal data on a need to know basis
• not keep personal data for longer than is necessary
• secure personal data at rest, and in transit, with adequate organisational (e.g. contracts, policies, training and procedural guidance) and technological controls (eg firewalls, strong passwords and encryption)
• not process personal outside of the European Economic Area (unless the country or territory has adequate measures in place (here is a link to the current list of countries with adequacy – you may note that the USA is not one of them, and so in case this is relevant to you we have also included a link to a workaround which is known as the EU/US Privacy Shield).
• ensure all personal data are confidentially destroyed when no longer required
• with the express or implied consent of the data subject (who is generally the person whose data it is that is in your possession)); and kept accurate, up-to-date, complete and secure.

2. Why is data protection important?

There are lots of reasons why data protection is important. However, to get quickly to the point, we think that the following three reasons will probably jump out at you the most:

• With stories of embarrassing data leaks constantly being strewn across the headlines, people are becoming increasingly aware about the need for good data protection. If your customers/end-users feel as though you will not keep their data private and secure they simply won’t use your products and/or services.
• If you breach current UK data protection law (Data Protection Act 1998) the UK Information Commissioners Office (ICO) has the power to fine your organisation up to £500,000 per breach. A power that the ICO is not frightened to use, with organisations are being fined each month – the highest fine being imposed so far being £325,000. What’s more, GDPR raises the stakes to an eye watering £20 million per data breach.
• Data protection compliance is not just about data privacy and security. Importantly it is also about ensuring that your confidential and sensitive data are accurate, up-to-date and complete. Good data protection helps you to ensure good data quality. Good data quality leads to more effective decisions being made, and better and more personalised products and services being developed.

3. What is a eu directive?

An EU Directive is essentially an EU law which is indirectly (i.e. each member state has the power to interpret directives into their own national legislation) imposed on all EU Member States.

Fast facts about EU & UK data protection law

• The original EU Data Protection Directive was adopted in 1995.
• To assure compliance the UK enacted the Data Protection Act 1998 (DPA).
• The DPA sets out 8 data protection principles which, until GDPR comes into force, must be followed by all individuals and organisations that process personal data.
• What is different about GDPR is that it is an EU regulation – which means that it is directly applicable to all EU Member States (and there is very limited scope for national interpretation).
• The UK therefore, has no choice other than to directly comply with GDPR – irrespective of ‘BREXIT’ (as the GDPR comes in to force before the UK leaves the EU).
• Post-BREXIT all UK organisations that continue to collect or process data belonging to EU citizens are likely (this is a complex and evolving area of data protection law, with complete formal EU guidance yet to be issued) to either have to comply directly with GDPR or demonstrate adequacy.

4. Where can I find information on data protection?

The best place to find up to the minute information about UK data protection law is on the ICO’s website. The ICO produces lots of useful free guidance and training materials. What the ICO does not do however (at least in most cases), is drill down into industry specific detail.

Be the first to know about GDPR changes and guidance materials by keeping an eye on the European Justice Commission website.

If you found this guide helpful, then follow the links below to read more now, or save them in your bookmarks for later:

• 10 things you can do to prepare for GDPR
• Simple steps to data protection compliance
• How to reduce your data protection risks

Want more regular data protection updates?

You can also sign up to receive our inbox insights about the most relevant things that are happening in the world of data protection.

Need tailored data protection advice?

Call us now on 020 3824 2426 and arrange to speak to a friendly, plain English speaking data protection specialist