General Data Protection Regulation (GDPR) and the Data Protection Act

The General Data Protection Regulation (GDPR) is something almost everyone in Europe has heard about. It is the Europe-wide regulation that sets out what organisations are allowed to do with data about people and what people’s rights are in relation to data about them.

In the UK, GDPR is implemented as the Data Protection Act (DPA) 2018 (not required reading, but should you want to check specifics, you can learn more about it here: The Data Protection Act).

If someone holds data about a person, they are required to make sure that:

• It is used fairly, lawfully and transparently
• It is used for specific purposes – that is, not collected and then further uses found later, or data kept ‘just in case’
• Use and scope are limited to only what is necessary
• Data is accurate and kept up to date
• Data is kept for the shortest time necessary
• Data is kept securely

Certain information can have even stronger protection. This includes data such as race, ethnic background, political opinions, religious beliefs, trade union membership, genetics, biometrics, criminal convictions, health and sexual orientation.

The DPA also gives people the right to find out what information the government and other organisations store about them, such as:

• The right to know how personal data is being used
• The right to know what data is stored
• The right to have incorrect data updated
• The right to have personal data erased

The DPA also gives people the right to ‘data portability’, which allows them to have access to their data and use it for other services. For example, you should be able to export your email account contents and import it in another service.

The scary side

For an organisation, these rights are protected through fines. Should an organisation be found to have breached the DPA, the fine can be up to £17m or 4% of global turnover, although if the first breach is accidental, it could lead to no more than a warning.

Data protection applies at all stages of business and systems should be auditable, which means you are responsible if you collect data even if you then pass off the handling to someone else. You must be able to verify their processes too.

Data protection equivalents in the USA

The USA doesn’t have the same laws around data protection, but there are special laws around health information in the form of the Health Insurance Portability and Accountability Act (HIPAA) and various laws around data breaches, although the exact law will depend on the state. In the links below, you’ll find a website with state-by-state laws.

Your task

Now that GDPR is here, we are starting to see cases of breaches and the actions taken. You can easily find news about breaches on sites such as BBC News. Look at some of the most recent examples and find those that surprise you. This maybe because of the scale of the breach, the scale of the fine or because you didn’t expect that the data in question would be held by the company that had the breach.

Post your findings in the comments.

References

_{Legislation.gov.uk (2018) Data Protection Act 2018 [online] available from http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted [31 July 2019]}

_{General Data Protection Regulation (EU) 2016/679 [online] available from https://gdpr-info.eu/ [31 July 2019]}