Pretty much every single business in Europe will have been affected in some way by the introduction of the General Data Protection Regulations (GDPR) back on 25 May. In fact, a lot of businesses were forced to quickly change their data protection policies last minute as the deadline loomed (or just afterwards when the realisation the law was going to change hit).
And that's because the introduction of the GDPR marked the biggest shift in data protection for decades, making sure the data subject (ie., the individual) is protected from unwanted data use such as spam, and of course, prevent their data falling into the wrong hands. It put the subject at the centre of everything, giving them a say into how their data is used and stored.
The GDPR rules apply to all businesses both based in and operating any kind of trade in the EU, so even though the UK is supposedly leaving the EU at some point, the laws will still apply to the majority of businesses. Added to that, even if you don't conduct business with other EU-based companies, the UK's own data laws have changed to be in line with the Europe-wide regulations.
The move doesn't just apply to the protection of customer data - it applies to all of the personal data a company may have access to, such as customer data, employee information, partner records and more.
The Information Commissioner's Office (ICO) is the UK's national data regulator, tasked with enforcing GDPR in the UK, as well as the Data Protection Act 2018, which offers UK-specific provisions outside of GDPR.
This authority, which has been operating up till now under the terms of the Data Protection Act 1998, has outlined in clear terms a set of principles that lie at the heart of how a company should structure their data policies to ensure maximum compliance with modern standards for data protection.
Lawfulness, fairness and transparency
The first principle is quite possibly the most important. All personal data needs to be processed fairly and lawfully, and in a way that's completely transparent. An organisation has a responsibility to inform every individual that they collect data on exactly how that data will be used and who it will be passed on to. The collection, the processing and the disclosure of data must all be done in accordance with the law.
Data collection must be for a stated reason that is lawful and transparent, it must not be processed in a way that's at odds with that original purpose.
Organisations in charge of collecting data are obligated to make sure the information is adequate, relevant and not excessive in relation to the original reason it was gathered. The subject of the data also has the right to access any data held about them, in whatever format that data is stored, whether it be handwritten notes, emails or formal documents.
Organisations are obligated to ensure personal data held is accurate and up to date. This means that an organisation should review information held about individuals at regular intervals and amend out of date or inaccurate information. Individuals have the right to have inaccurate data about them erased or destroyed.
When data on an individual has served its purpose, it must be deleted or destroyed, unless there are other grounds for retaining it. Organisations should have a review process in place to clean up databases.
Integrity and confidentiality
The data an organisation has must be kept secure. The data controller has a responsibility to take reasonable steps to ensure the reliability of any employees who have access to personal data. If a third party is used to process data, an organisation must ensure that a contract in place with that data processor which provides for appropriate security measures.
The need to process data in accordance with an individual's rights and the transfer of data to countries abroad were two principles under the previous act but were afforded their own separate chapters under GDPR detailing extensively how these applied under the law.
The principle of 'accountability' also applies under the EU's new set of regulations, with data controllers expected to take greater responsibility for what is done with personal data, and how to comply with the other principles. Under this principle, the appropriate measures, and records must be in place to demonstrate compliance when expected.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.