This month we wanted to update you on some changes to data protection that will effect everyone at Johnsons.
You may be aware that a new set of data protection regulations will come into effect on the 25th May 2018, the General Data Protection Regulations (GDPR) and these will replace the 1995 Data Protection Directive.
Enforced by the Information Commissioners Office (ICO) the change brings outdated personal data rules up to speed with an increasingly digital era. The amount of data we produce now wasn’t foreseeable when current data protection laws were drawn up in the late 1990s.
So, what’s new? There are new rights for people to access the information companies hold about them, GDPR changes how personal data can be used, there is a clear responsibility for organisations to obtain the consent of people they collect information about, there are obligations for better data management for businesses, and a new regime of steep fines.
But what is personal data? Personal data, a complex category of information, broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address… you name it. In addition, sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.
Companies covered by the GDPR will be more accountable for their handling of people’s personal information. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed. I will be issuing a copy of our new GDPR policies and procedure shortly. You may wish to refer to these and in particular the procedure for how we will manage and store personal data at Johnsons.
Why do we need it? In the last 12 months, there’s been a score of massive data breaches, including millions of Yahoo, LinkedIn, and MySpace account details. Under GDPR, the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data has to be reported to a country’s data protection regulator – in the case of the UK, the ICO – where it could have a detrimental impact on those who it is about. This can include, but isn’t limited to, financial loss, confidentiality breaches, damage to reputation and more. The ICO has to be told about a breach 72 hours after an organisation finds out about it and the people it impacts also need to be told.
What if we get it wrong? One of the biggest, and most talked about, elements of the GDPR is the power for regulators to fine businesses that don’t comply with it. If an organisation doesn’t process an individual’s data in the correct way, it can be fined. Therefore, we have arranged for you to receive an on line e-learning training course on the subject of data privacy and GDPR that you will need to complete this prior to the 25th May.
And finally, does BREXIT make a difference? The UK is implementing a new Data Protection Bill which largely includes all the provisions of the GDPR. There are some small changes but our own law will be largely the same.
I have taken the role of Data Protection Officer (DPO) for our company, so, if you have any questions regarding GDPR then I would be happy to answer them.