Pretty much every single business in Europe will have been affected in some way by the introduction of the General Data Protection Regulations (GDPR) back on 25 May. In fact, a lot of businesses were forced to quickly change their data protection policies last minute as the deadline loomed (or just afterwards when the realisation the law was going to change hit).
And that's because the introduction of the GDPR marked the biggest shift in data protection for decades, making sure the data subject (ie., the individual) is protected from unwanted data use such as spam, and of course, prevent their data falling into the wrong hands. It put the subject at the centre of everything, giving them a say into how their data is used and stored.
The GDPR rules apply to all businesses both based in and operating any kind of trade in the EU, so even though the UK is supposedly leaving the EU at some point, the laws will still apply to the majority of businesses. Added to that, even if you don't conduct business with other EU-based companies, the UK's own data laws have changed to be in line with the Europe-wide regulations.
The move doesn't just apply to the protection of customer data - it applies to all of the personal data a company may have access to, such as customer data, employee information, partner records and more.
The Information Commissioner's Office (ICO) is the UK's national data regulator, tasked with enforcing GDPR in the UK, as well as the Data Protection Act 2018, which offers UK-specific provisions outside of GDPR.
This authority, which has been operating up till now under the terms of the Data Protection Act 1998, has outlined in clear terms a set of principles that lie at the heart of how a company should structure their data policies to ensure maximum compliance with modern standards for data protection.
Lawfulness, fairness and transparency
The first principle is quite possibly the most important. All personal data needs to be processed fairly and lawfully, and in a way that's completely transparent. An organisation has a responsibility to inform every individual that they collect data on exactly how that data will be used and who it will be passed on to. The collection, the processing and the disclosure of data must all be done in accordance with the law.
Purpose limitation
Data collection must be for a stated reason that is lawful and transparent, it must not be processed in a way that's at odds with that original purpose.
Data minimisation
Organisations in charge of collecting data are obligated to make sure the information is adequate, relevant and not excessive in relation to the original reason it was gathered. The subject of the data also has the right to access any data held about them, in whatever format that data is stored, whether it be handwritten notes, emails or formal documents.
Accuracy
Organisations are obligated to ensure personal data held is accurate and up to date. This means that an organisation should review information held about individuals at regular intervals and amend out of date or inaccurate information. Individuals have the right to have inaccurate data about them erased or destroyed.
Storage Limitation
When data on an individual has served its purpose, it must be deleted or destroyed, unless there are other grounds for retaining it. Organisations should have a review process in place to clean up databases.
Integrity and confidentiality
The data an organisation has must be kept secure. The data controller has a responsibility to take reasonable steps to ensure the reliability of any employees who have access to personal data. If a third party is used to process data, an organisation must ensure that a contract in place with that data processor which provides for appropriate security measures.
Other principles
The need to process data in accordance with an individual's rights and the transfer of data to countries abroad were two principles under the previous act but were afforded their own separate chapters under GDPR detailing extensively how these applied under the law.
The principle of 'accountability' also applies under the EU's new set of regulations, with data controllers expected to take greater responsibility for what is done with personal data, and how to comply with the other principles. Under this principle, the appropriate measures, and records must be in place to demonstrate compliance when expected.
-
Global cybersecurity spending is set to rise 12% in 2025 – here are the industries ramping up investmentNews Global cybersecurity spending is expected to surge this year, fueled by escalating state-sponsored threats and the rise of generative AI, according to new analysis from IDC.
-
Google Cloud is leaning on all its strengths to support enterprise AIAnalysis Google Cloud made a big statement at its annual conference last week, staking its claim as the go-to provider for enterprise AI adoption.
-
India’s new data protection bill continues to “facilitate state surveillance”News Although data localisation requirements have now been removed, it’s down to the Indian government to select which countries data is allowed to be sent to
-
LinkedIn denies data breach that reportedly exposed 700 million user recordsNews Report claims 'breach' led to profiles belonging to 92% of LinkedIn users being put up for sale on a popular hacker forum
-
Privacy campaigners rally against "illegal" Clearview AI data scrapingNews The notorious facial recognition firm claims to have a database of more than three billion images scraped from social media sites
-
Germany bans Facebook from using WhatsApp data over GDPR concernsNews Hamburg's data protection commissioner issues three-month ban days before the app's new privacy policy rolls out
-
Facebook faces 'mass action' lawsuit over data breachNews Digital Rights Ireland is urging European Facebook users who have been affected to sign up
-
Irish data watchdog to investigate Facebook data leakNews The regulator believes that Facebook may have infringed ‘one or more’ GDPR provisions following apparent leak of 533 million user records
-
EU might force tech giants to share data with smaller rivalsNews The Digital Services Act draft also suggests that firms may be banned from giving their own services preferential treatment
-
Irish data watchdog orders Facebook to halt EU user data transfers to the USNews Nick Clegg suggests cancelling its transfer mechanism could cause chaos for businesses and the global economy
