Organisations that protect data gain the trust of their employees and customers. Good data protection procedures will ensure that your organisation maintains people’s fundamental rights of privacy. Such procedures will let your stakeholders have control of their own data and protect their identity and interactions with others. Good data protection procedures will ensure your organisation strikes the balance between the needs of your business and the wider interests of society.
Data protection can incorporate many different things. It is about ensuring that stakeholders, such as customers, employees, investors and even the general public, trust your business to use their personal data fairly and responsibly. In a more practical sense, it is about building a relationship of trust between individuals and organisations. At its most basic level, it is about treating people fairly and openly, and recognising their right to have control over their own identity and interactions with others. Data protection strikes a balance between the interests of business operators and the wider interests of society.
The GDPR regulations were ground breaking in 2018 and brought all the Data Protection requirements into a single UK Act that protects individuals and thier data. Since 2018, the Information Commissioners Office (ICO) has pursued and prosected a number of organisations for breaches to the data protection legislation. These include:
|Marriott International Inc.||£18.4 million||Failure to keep 339 million guest records secure|
|Reliance Advisory Limited||£250 000||Made 1.1 million non-consential marketing calls to consumers|
|Studios MG Limited||£40 000||Sending thousands of unlawful marketing emails without consumer consent|
The General Data Protection Regulation (GDPR) is the latest in EU data protection legislation, implemented in 2018. The Regulation applies to all businesses operating within EU jurisdiction. As an extension of previous legislation, the Regulation will also apply to those businesses and legal entities not based in the EU offering services, goods and technology to businesses and legal entities within the EU.
The domestic UK data protection regime is set out in the Data Protection Act 2018, along with the GDPR (which is by itself applicable in the UK), which is the application of the Regulation within the context of UK-based organisations. The Act is the third generation of UK data protection legislation. The Data Protection Act 2018 fills in certain holes in the legislation of the GDPR that incorporates the Regulation into the context of UK legislation and jurisdiction. The Data Protection Act 2018 essentially has a part in processing that which does not all within EU law, in this case the GDPR.
GDPR and Data Protection are critical pillars of Information Security, and organisations that operate with an ISO 27001 management system should recognise the legislation within their compliance register. The Statement of Applicability for ISO 27001 requires an organisation to identify how the use, process and manage data, and with increasing levels of punitive fines, all organisations need to manage this issue effectively.
Enforcement of the General Data Protection Regulation, and by extension the Data Protection Act 2018, falls under the Information Commissioner’s Office (ICO). The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals within the context of UK-based organisations.
Furthermore, the ICO also has the capacity and authority to cooperate with data protection authorities and organisations from other countries. Even after the events of BREXIT and the exiting of the EU by the UK, the secession of which comes into full effect on 31 December 2020, the ICO will continue to work with the European Data Protection Board (EDPB), which includes representatives from data protection authorities from each EU member state.
The majority of the GDPR’s main concepts, principles and provisions are much the same as those in the current Data Protection Act 2018. If your business is in proper compliance with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from. However, there are other new elements and significant enhancements that will require your business to do some things for the first time and some things differently. ISO 27001 and similar programmes, such as Cyber Essentials provide a sound platform of management practices on which to manage Data Protection and the GDPR requirements.
Published on 7 September 2020
Related ArticlesComparing Cyber Essentials to ISO 27001
If you have any further questions or want to learn more about what we can do for your business, please contact us using the link or details below:CONTACT US
Tel: 01908 255 525