[GDPR] Basics Training – Part 1 – What is Data Protection?

A basic guide to introducing you to Data Protection and GDPR.

This article forms part of a collection to introduce you to what Data Protection and ‘GDPR’ are. It’s based upon staff training that we’ve provided for companies to make sure they had a basic working knowledge and were able to take the steps to protect individuals personal information in their care.

It’s amazing to think that at the time of writing this that the GDPR introduced 25th May 2018 here in the UK is over two years old in Law (and older if you consider when it brought to the EU to be voted for, and even older to when it was first starting to be written) and that companies are still learning about it and trying to instil a privacy-first mantra into their business. I want to help this as much as possible and try and remove the ‘scary’ and ‘confusing’ myth that has built around it. This first guide starts at the beginning to explain what data protection is from a top-level, If you have any questions or comments about this guide, data protection or GDPR don’t hesitate to contact me.

What is Data Protection?

Growing from the 1960s, the use of computers to store information about customers, staff and citizens wildly gained traction by businesses, governments and different organisations. This data ranged from basic contact information such as Name, Address and Telephone number to more advanced and detailed information such as medical conditions, financial history and criminal convictions. They can’t be blamed for this and the move from paper records to centralised databases is because they are so much more easily accessed, searched, edited and generally maintained. These digital databases also allowed the data to be cross-referenced in a quick and easy way which allowed these businesses/governments/organisations to perform their own actions, research and marketing at a much lower cost. This grew as the computers on which these databases resided were also networked together and eventually made available remotely over the internet allowing all sorts of people across a business/government/organisation to access and share information with each other, and other groups. 

Unsurprisingly with more and more organisations in the 70s and 80s storing and processing a growing volume of data (Imagine how much data a supermarket gains on its customers each year, or even the NHS) there started to be concerns from both the general public and legal entities that there was no Law covering what could and couldn’t happen with this data, how accurate it was, who was allowed to access or copy it and what rights the original data owner had over them. 

 Here in the UK in 1984 the first Data Protection Act aimed at digital/computerised records came into effect, shortly followed 14 years later by the second Data Protection Act. It’s this second data protection act that most of us under a few years ago were familiar with. It’s principles were that your data had to be stored and processed;

 

  1. In a fair and lawful manner transparent manner in relation to individuals
  2. That the data had to be collected for a specified, explicit and legitimate purpose
  3. That the data kept had to be adequate, relevant and limited to what was necessary for the organisation collecting to meet their described purpose (data minimisation). 
  4. That the data had to be accurate, kept up-to-date and that ‘every reasonable step’ must be taken when incurrence is found to update or erase it.
  5. Your data must only be kept for as long as it’s needed and individuals must be told how long this is where possible.
  6. That the data must be processed only in accordance with the rights of individuals
  7. That the company storing the data must take adequate steps to ensure the security of the data.
  8. That personal data must not be transferred outside of the European Economic Area without adequate protection.

 

And if you failed as a company to do this, the ICO might investigate you and then fine you up to £500,000 (which many large corporations wouldn’t even blink at).  I did try to look up how many fines the ICO issued under the 1998 Data Protection act but wasn’t able to locate a full history. 

Remember these principles, as they remain and are built up when it comes to the Data Protection Act 2018 (Which includes the GDPR). 

The General Data Protection Regulation (GDPR) made law on the 25th May 2018 and was introduced to level the playing field across the EU in the protection standard given to their personal data creating a level of trust that is needed for the EU’s digital economy to safely develop, The GDPR makes law the fundamental right of every living person living in the EU to control their personal information. This means that to trade with the European Economic Area companies and businesses based outside of it need to comply with European standards for data protection (Although we’re still waiting to see what happens when they don’t!). To enforce this in the UK it comes under the care of the Information Commissioners Office (ICO), as the 1998 Data Protection act didn’t provide enough of a financial deterrent to companies abusing data the GDPR introduced the ability for the ICO to fine up to 20 million euros or up to 4% of the breaching organisations global turnover (based upon the previous years turnover).