As the countdown continues to the new General Data Protection Regulation being enforced throughout the EU at the end of May, Michael Alexander looks at what’s being done by organisations to prepare.
It is the biggest overhaul of data protection legislation in a generation and it’s about to introduce new requirements for how organisations store and handle personal data.
On May 25, the European Union’s General Data Protection Regulation (GDPR) will replace the UK Data Protection Act 1998 (based on an EU directive from 1995).
Reflecting how data storage and social media has increased dramatically over the last 20 years, it means that any organisation handling data that relates to EU citizens will have to comply with the new regulation or face tougher financial penalties.
Despite Britain’s imminent departure from the EU in a little over a year’s time, all businesses and charities in the UK will have to comply as it converts into British law.
“This new law affects everyone but more importantly any organisations that hold personal data,” explains Gordon Boyle, law accountant with Dundee law firm Boyles.
“It is to protect the individual and any breach of their data that could happen.
“Organisations who hold data are only allowed to hold data for a justified reason and must be held accountable if data is leaked. Data should not be kept any longer than is necessary.”
Personal data – whether that be digital or hard copy – includes an individual’s name, address, date of birth, email address , IP address, and photos whereby someone can be identified directly or indirectly.
Firms must demonstrate compliance; document policies and procedures; train all staff; assess any breaches and carry out data protection impact assessments.
It applies to lawyers as it does to any organisation.
But Mr Boyle, who thinks the new measures are “absolutely necessary” given the vast quantities of data now stored online, said it particularly affects solicitors who hold a lot of “special category personal data” – i.e criminal information for a trial that would be dangerous and defaming if there were any leaks outside the firm.
He adds: “It is important that no one outside our firm can access the data nor anyone inside can leak it out.
“Also we need to look at all types of data storage and assess the risk that is from a hard copy on a desk and in filing cabinets to digital data on computer file servers and to USB sticks/CDs that hold data.
“ We have to ensure all data is secure, we use file encryption and on-going monitors and procedures.
“By May we basically need to ensure our corporate security policies and data procedures meet minimum, GDPR guidelines.”
Charities will also be affected by the changes. The question of how fundraisers can lawfully contact donors and supporters, or identify and approach potential new supporters, has been the main focus of the debate about data protection so far.
Under GDPR, simply saying “click here to read our privacy policy” is no longer enough. Charities need to explain clearly why they are collecting personal data and how they intend to use it.
Explicit consent will have to be sought if the intention is to make data available to third-party providers.
The GDPR also brings in a “right to be forgotten” where people can request the removal of personal data, either if they no longer want the charity to have it or if it is no longer used for the purpose it was collected.
It’s something that former Fife councillor Marie Penman has been reading up on this week as a board member of Kirkcaldy Foodbank – and generally she thinks the changes are a “good thing”.
But as a journalism lecturer at Fife College, she’s also interested in what it means for the media.
“Current data protection rules allow journalists to be exempt if the details they’re using are in the public interest,” she says.
“The final details of GDPR are still being discussed in parliament but some politicians believe journalists’ exemption should be scrapped in the new regulations.
“Many journalists worry this will affect their ability to write investigative articles that analyse lots of data at once or that rely on information from whistle-blowers.
“This is because the new rules state that permission must be given for any personal data to be used.
“Obviously, if someone in a position of power, eg a politician or a banker believes a journalist might uncover some wrongdoing by them, they may be able to prevent publication under GDPR.
“The deciding factor in this has always been whether it is in the public interest and I don’t see why that should change – it’s worked pretty well up till now.”
Loretta Maxfield, Associate in Data Protection, Intellectual Property and Technology at Thorntons Law LLP in Dundee, has set up a Tayside GDPR group to help with organisations’ concerns.
With the maximum fine that can be issued by the Information Commissioner’s Office (UK Regulator) being the greater of 4% of annual turnover or €20M Euros (£17M), she urges any organisation processing personal data to seek legal advice as soon as possible in order to ensure it is adequately prepared.
She adds: “In many respects, I can understand why many people view it as a headache.
“However in my view, while there is a lot of work to do to prepare, I think long-term GDPR will be beneficial to both organisations and individuals.
“For organisations, GDPR presents the opportunity to have a clear out of personal data it is holding but that it no longer needs and hopefully lead to the creation of more efficient processes and accurate data going forward which should support service delivery and de-risk data handling processes.
“For individuals, I think they will benefit by having a clearer understanding of how their personal data is used and due to the financial and reputation risk of non-compliance, I would expect most organisations to treat individuals much more fairly.”
Garry Clark, East of Scotland development manager for the Federation of Small Businesses said FSB research shows that 90% of businesses are unprepared, whilst a third haven’t started preparations yet.
He says: “The requirements of GDPR will be onerous, particularly for smaller businesses.
“We would urge businesses to seek out the information and assistance they need to comply.
“We have prepared a checklist for businesses as part of our #FSBDataReady campaign, whilst both Business Gateway and Scottish Enterprise also provide free-to-use resources.”