GDPR 1 Year On

GDPR General Data Protection Regulation

May 25th, 2018

The GDPR came into force on the 25th May, 2018. From that point onwards, any organisation around the world processing data relating to European citizens had to comply with the new data security laws

GDPR 1st Anniversary

Information from the European Data Protection Board (EDPB) report published in February 2019

GDPR General Data Protection Regulation Logo

Total fines issued:
€55,955,871

Number of Data Breaches reported by a data controller:
64,684

Individual complaints received:
94,622

Full report: http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2019/02-25/9_EDPB_report_EN.pdf 

GDPR vs. Global Brands

Many tech giants set their European headquarters in the Republic of Ireland. Facebook, Google, Apple, Microsoft, Twitter, Dropbox and many more fell under the GDPR as applied in Ireland.

The Irish Data Protection Commission said that in the first year of GDPR, the subject of most data investigations involved the tech giants, with Facebook and it’s brands Instagram and WhatsApp being the most investigated.

Google has already received a £44,000,000 fine from the French data regulator CNIL for it’s handling of personal data in targeted advertising, it is also facing another investigation from the Irish DPC for similar offences.

The tech giants, along with everyone else, had two years notice of the new regulations, but it appears many of them chose to make the minimal effort to adjust to the regulations.

In the USA, individuals have less robust data protection and privacy laws, and its thought that many global companies set the USA standards as the defacto standard. European GDPR sets the bar much higher and gives individuals much more control over the use of their data.

Information Commissioner’s Office

ICO Enforcement

Data taken from the ICO enforcement page May 25th 2018 – 12 February 2019

ICO

ICO Fines issued:
34 (£3,335,000)

ICO Actions Taken:
59

ICO Prosecutions against individuals:
9

Penalties issued to data controllers who have not registered:
103
  • 16 of those were for the maximum amount of £4,000
  • 18 of those were for organisations in the financial/pensions industry
  • Organisations in Construction, Manufacturers, Services and Health were also commonly fined
PECR Nuisance calls & messages reported:
51,314

…of those:
  • 26% were for accident claims
  • 15% were for broadband and telecoms services
  • 9% were for PPI
  • 8% were for computer scams
PECR Spam text messages
13,623
..of those:
  • 12% were for charities
  • 8% were for banking scams
  • 5% were for energy saving companies
  • 3% were for accident claims
PECR Automated calls:
13,623
…of those:
  • 40% were for accident claims
  • 17% were for broadband and telecoms services
  • 11% were for PPI
  • 8% were for Computer scams

Number of complaints about the use of cookies:
949

Some of these fines were a result of complaints made under the Data Protection Act 1998 before the GDPR came into force. The powers available to the ICO and the level of fines that could be issued were significantly lower under the old DPA.

 https://ico.org.uk/action-weve-taken/ 

The ICO is responsible for GDPR Compliance in the UK. If an organisation poresses personal data it is required to be registered with the ICO and to comply with the GDPR, regardless of size.

The ICO have stated that they are looking for organisations to develop on their compliance to include data security by default. This means that any changes or new functions within the organisation will include GDPR as part of the process.

Polish Data Protection Officer fines polish company €220,000 for processing the personal information of people without making them aware of the processing.

https://edpb.europa.eu/news/national-news/2019/first-fine-imposed-president-personal-data-protection-office_en

Data Protection Officers

DPO’s are a requirement for some organisations, and recommended for other smaller organisations. Organisations can make user of external third party DPO’s to help keep costs down and to being in the required experience.

Over 500,000 organisations registered DPO’s across Europe since the introduction of the GDPR

Data Protection Offices

Data taken from JAPP May 2019

GDPR General Data Protection Regulation

Estimated DPO’s:
500,000

Documented DPO’s:
375,000
  • 182,000 in Germany
  • 51,000 in France
  • 48,000 in Italy
  • 32,000 in the UK
  • 30,000 in Spain

Number of cases received by DPOs:
280,000

https://iapp.org/resources/article/gdpr-one-year-anniversary-infographic/ 

A (very quick) overview of what the GDPR is.

Personally Identifiable Data

Personally Identifiable Data is any information that can be used to identify an individual. Obvious data like someone’s name or customer reference number, and less obvious data like a photo, customer number or CCTV image.

Data Subject

The Data Subject is the individual that the personally identifiable data relates to.

Special Category Data

Some information falls under ‘special category data’ this information has extra precautions on it, such as needing explicit consent for processing it.

Special Category Data includes health, ethnic, religious, biometric and sexual information.

What is meant by ‘processing’?

How data is processed is the core of the GDPR. Processing data means any operation performed on data, such as collecting, storing, recording, organising, retrieval, transmission and so on. The data can be digital, paper based or in any other organised structure.

What consent is required?

If you’re collecting information, you need to give the data subject sufficient information about why you’re collecting the information, what you’re going to use it for and how long you’re hold onto it.

If you plan to use the data for a number of reasons (such as for sending marketing information and for processing an order) you need to give the data subject the option to select each use individually.

If you’ve acquired the data not directly from the data subject, you have a limited time to alert the data subject of how and why you received their data, where it came from, how you plan to use it and to give the data subject information on their rights.

If you’re processing special category data, you need to get explicit consent from the data subject before processing.

Not just consent

Consent is only one of a number of lawful basis for processing personally identifiable information. The GDPR give a number of alternatives that might be more appropriate for your situation.

What rights do you have?

As a Data Subject, you have the following rights to manage how your personally identifiable data is used:

  • The right to be informed
    You have the right to be informed about how and why your personally identifiable information is being processed.
  • The right of access
    You have the right to request access to any personally identifiable information any organisation holds about you.
  • The right to rectification
    You have the right to have accurate information processed. If an organisation has inaccurate information they are required to correct it.
  • The right to erasure
    You have the right to have information erased after it’s lawful processing has completed.
  • The right to restrict processing
    You have the right to restrict further processing of your personally identifiable information.
  • The right to data portability
    In some situations, you have the right to receive a portable copy of your personally identifiable information in a format that can be easily transported to a different provider.
  • The right to object
    In some situations you have the right to object to the processing of your personally identifiable data.
  • Rights in relation to automated decision making and profiling
    If data is being processed automatically and determining your eligibility for some service, you have the right to object to the automated decision making.

GDPR Myths

GDPR Prevents data sharing
This is not true, the GDPR does put security and precautions on how data can be shared, such as the type of data that can be shared, the reason for sharing, who it can be shared with and how the data subject needs to be notified. As long as the reason for sharing data is legal and legitimate and the data subject has been made aware of the share, and given the option to not have their data shared, it is fine to share the information.

American tech giants will ignore the GDPR
A lot of tech giants have their European headquarters in Ireland, the Irish DPA responsible for enforcing GDPR in Ireland is already investigating some of the big global names like Facebook and Apple. The French DPA have already issued a massive £44,000,000 fine against Google over it’s lack of transparency.

California have since released it’s own version of the GDPR, it’s the USA’s most comprehensive data protection laws, and it’s got a lot of support, there have already been calls for a GDPR like US-wide federal law protecting personally identifiable information.

Consent is required for everything
While Consent is a lawful basis for processing information, it’s not the only one. GDPR gives organisations several basis for processing personally identifiable information. You should make sure you’re using the right basis for your processing as ti can affect the rights that users have to their information.

You can’t use marketing emails
Under the GDPR, you need to make data subjects aware how you’re going to process their information. As long as the user chooses (opts IN) to receive marketing information, it’s perfectly fine to use their information in that way.

We don’t use computers, GDPR is only about digital information
The GDPR applies irrespective of the type of filing system you use. If you’re processing information that the GDPR covers, you need to be registered and compliant with the GDPR.

Other information that might be of interest.

Caldicott Report on the handling of medical information.
https://www.igt.hscic.gov.uk/Caldicott2Principles.aspx?tk=436113758099715&lnv=18&cb=3dc43b21-7fd7-4897-af04-0c027c7dd4a3

GDPR: May 25th

GDPR General Data Protection Regulation Logo

Are you GDPR Ready?

nThe GDPR came into force on May 25th 2018. If you are still not compliant, contact us immediately!”,”serverSync”:”2018/05/10 16:57:54″}’>

Time is running out

The General Data Protection Act will come into force across Europe on May 25th 2018.

Any organisations that processes personally identifiable information will need to be compliant with the GDPR.

Time is running out, but we can still help you get your documentation and processes ready to meet your GDPR requirements.

GDPR doesn’t apply to me

The GDPR does not apply to you if you’re just managing information for purely personal or household activities. So you don’t need to worry about keeping the window cleaners details in your phone.

However, If you are a business of any size and you manage personally identifiable information, the GDPR will apply to you.

What is personally identifiable information?

The GDPR says that Personally Identifiable Information is any information that can be used to identify an individual.

This can be directly (like a person’s name or email address) or indirectly (such as a client reference number, or IP details)

Common types of personally identifiable information you may use are things like employee details, customer and supplier information, cookies used on your website and emails.

But my only contacts are other businesses

In reality, this is probably note the case.

Most people have personal information for their business contacts, such as their name, position in the company or personalised email address.

What do I have to do?

You need to make sure you have documented how you collect and manage personal data, stating what safeguards you have to protect that information, and how it’s going to be used.

You need to identify a lawful basis for using the information, and make sure it is only used for that purpose.

And you need to know where the information is, who has access to it and how you can manage it if you receive a data subject request

#WeCanHelp

tinsleyNET IT Servces Consultants #WeCanHelpThere’s a lot of work that needs to be done getting GDPR compliant, we can take the burden off you and create the policies, documentation and processes you need to make sure your organisation is compliant.

We can continue to support you by processing your incoming user requests and monitoring your processes to make sure your organisation remains GDPR compliant.

Contact Us Today!

Some of the GDPR specific services we offer include:

  • Data Protection Officer Services
  • Policy Writing
  • Data Handling
  • ICO Registering
  • Process Monitoring
  • Process Assessment

GDPR General Data Protection Regulation

GDPR: What it means to everyone else

Person

What is all this GDPR?

It’s not just businesses that need to know about GDPR. The GDPR is all about you.

The GDPR are a set of new regulations that say how organisations can collect, use and store data about you. It also states what rights you have to your data, and how you can get hold of the data any organisation has about you.

Read more

GDPR: Business to Business

GDPR General Data Protection Regulation Logo

Business to Business marketing

The GDPR covers information that identifies individuals only, so any business to business marketing would not be covered as long as the details are generic and don’t identify an individual.

So if the email address was sales@businessname.co.uk that would be fine, no individual is identified, however if your contact is j,bloggs@busniessname.co.uk then you are identifying an individual and therefore GDRP does apply.

That doesn’t mean you can’t send marketing materials to them, there are several basis for consent that could apply depending on the situation, as long as the information you’re sending is relevant, expected and not intrusive.

Business Cards

The GDRP will apply to business cards if they contain an individuals personally identifiable information, like their name (and what business cards don’t have names on them!) and if you store them in an ‘organised filing system’

That could apply to a filofax, rotadex or similar system, or if you input the details into a digital storage system, like your phone or PC address book. It’s slightly less clear if the information is ‘stored’ loose in your draw or desk.

Again, the GDPR offers means to ‘store and process’ this information in this way, you just have to be aware of it and make sure you don’t use the information in a way that would be unexpected. It might be expected to pass the details onto an interested third party, say a work colleague, who might want to make contact with the individual. It would probably not be expected for you to pass that information onto a third party marketing company that has no relation to you or your business.

#WeCanHelp

tinsleyNET IT Servces Consultants #WeCanHelp

There’s a lot of work that needs to be done getting GDPR compliant, we can take the burden off you and create the policies, documentation and processes you need to make sure your organisation is compliant.

We can continue to support you by processing your incoming user requests and monitoring your processes to make sure your organisation remains GDPR compliant.

Contact Us Today!

GDPR General Data Protection Regulation

Some of the GDPR specific services we offer include:

  • Data Protection Officer Services
  • Policy Writing
  • Data Handling
  • ICO Registering
  • Process Monitoring
  • Process Assessment

General Data Protection Regulations

Data Protection Act 2018

The GDPR UK implementation and the UK Data Protection Act 2018 govern how organisations can process personally identifying information.

If your organisation needs to process personal information, it needs to be registered on the ICO database, and have a Data Protection Policy in place detailing the use of personal information.

Personal Information is any information that can identify an individual, such as employee names, customer id’s or CCTV footage.

If you need help assessing your GDPR compliance, contact us immediately for a GDPR review.

GDPR General Data Protection Regulation Logo

GDPR: What about our existing data?

GDPR General Data Protection Regulation

When the Data Protection Act is replaced by the GDPR, what is going to happen to your existing data? Will you need to contact everyone to get permission to hold their data? what about if they don’t respond? Read more

General Data Protection Regulation

GDPR General Data Protection Regulation

Are you GDPR Ready?”,”serverSync”:”2018/04/23 12:30:15″}’>
GDPR General Data Protection Regulation Logo

May 25th – Are You Ready?

On May 25th 2018, Regulation EU 2016/679, better known as the General Data Protection Regulations (GDPR) will come into force in the EU, and will have an impact on organisations worldwide that deal with personal information from EU citizens. GDPR is the successor to the Data Protection Act in the UK, which has been around since the 1980’s Read more