They think it's all over.....
Okay, this article is nothing to do with football or the World Cup, apart from nicking the phrase, as it probably is appropriate for the content. If the title brought a slight smile to your face, then the next word after this sentence will remove it.
The General Data Protection Act
Yes, the word that most organisations in the UK will be heartily sick of following its widely trailed introduction on May 25th 2018. Certainly our clients descended into a frenzy of activity around “Privacy Notices,” “Data Privacy Impact Assessments” and mulled over whether they really needed to have a Data Protection Officer. And what about all the letters sent to and by suppliers regarding their obligations under GDPR?
So, it’s a month on, and Dixons Carphone Warehouse have suffered the ignominy of being the first UK based company to suffer a major data breach that needed to be reported under GDPR, with the potential for a consequential and as yet undetermined fine.
So why are we writing an article about GDPR if it’s all over?
Well firstly, it won’t be all over, as the way that the regulation is written forces organisations to have to review their “technological and organisational” measures continually to ensure that they are compliant and protect privacy. In particular, anything new that can potentially fail to protect data privacy must be reviewed. For example;
• Introduction of a new case management system
• Introduction of a new telephone system
• Setting up a new office or re-organising the layout of an existing one
• Recruiting new personnel
• Ensuring training for data privacy is on-going
• Engaging a new supplier
These are just some examples. If a firm is accredited to Lexcel, then the planned new version, 6.1 will most likely introduce new requirements in line with GDPR.
We titled this article “they think it’s all over…” when clearly it isn’t, however there’s a new player in the mix that many firms aren’t aware of. On May 23rd, the UK Data Protection Act 2018 received Royal Assent. This act enshrines the principles of GDPR into British Law, and clarifies some of the areas where the GDPR stated member states could set “local” requirements.
For example, Article 10 of the GDPR wasn’t overly clear on the processing of Criminal Offences data “Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.”
So, where article 10 wasn’t clear, the Data Protection Act spells out the processing of criminal convictions data under the authorisation of the Member State, in this case the UK. The detail on how this data can be processed can be found in Schedule 1 of the Act, http://www.legislation.gov.uk/ukpga/2018/12/schedule/1/enacted which also includes other categories of special data.
In each case the Schedule states what actions any organisations who process this kind of data would need to take, which for most firms would mean changes/additions to client care, modifications to client privacy notices and appropriate policy updates.
And that’s just one element of the Act.
So, to return to our football analogy…
They think it’s all over?
Not by a long way.