New Years UK 2020 Honours GDPR nightmare – make sure you are GDPR compliant
Are You GDPR Compliant?
There’s never a better time than the start of a new year (2020) and a new decade to review your business and ensure you are doing things correctly, especially checking you are GDPR compliant.
We have all come to realise the magnitude of data breaches and the repercussions, from the UK’s 2020 New Year’s Honour’s data breach, with personal addresses being accidentally leaked via a spreadsheet online for everyone to see.
Therefore there is no better time than now to make sure you are GDPR compliant and that you have robust systems and processes in place to ensure you are not only dealing with personal data correctly, but you are storing it securely and you are also receiving explicit consent to hold personal data.
As we know from this recent New Year Honours nightmare, ensuring you understand your obligations to GDPR, that your processes are thorough, that the way you handle personal data is secure and rigorously followed to avoid leaks, breaches and accidentally mistakes is an absolute must.
Sadly, there are many ways in which GDPR breaches can take place where a person or organisation can be held accountable for a data breach or non-compliance:
Personal data breaches can include:
- access by an unauthorised third party;
- deliberate or accidental action (or inaction) by a controller or processor;
- sending personal data to an incorrect recipient;
- computing devices containing personal data being lost or stolen;
- alteration of personal data without permission; and
- loss of availability of personal data.
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
Processing Personal Data
A “data subject” is any person whose personal data is being collected, held or processed. As a result, anyone becomes at some point a data subject – whether they are applying for a job, booking a flight, using their credit card or just browsing the internet, they disclose some personal data.
However, from 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 requires every organisation or sole trader who processes personal information to be part of the data protection register with them and pay a data protection fee to the ICO unless they are exempt.
What is personal data
Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Personal data only includes information relating to natural persons who:
- can be identified or who are identifiable, directly from the information in question; or
- who can be indirectly identified from that information in combination with other information.
Privacy policies provide documented proof of a business’s data processing activities and illustrates your GDPR compliant activities. This helps you justify your processing if someone raises a concern, complaint or make a subject access request. Privacy policies can also help you win business, as they prove that you take information security seriously.
Having undertaken some research regarding GDPR for micro and small businesses in the UK, I have come across a few useful resources and links for relevant GDPR information and documents: