Tuesday, 15 May 2018

GDPR- What, How When, Where, Who?


In an increasingly digital world, it is arguably harder to keep track of what we have bought, who we have spoken to, what we have signed up to and more importantly, where our data is held. When we receive the telephone calls about accidents that we never had or emails from a friend who is supposedly stuck in Thailand after being involved in a tuk tuk collision, it often worries us how our details ended up in the hands of these rather ominous places. 

Organisations have become wise to the trends in consumer behaviour; namely, we want things done quickly and efficiently with as little bureaucracy as possible. A trend that has been exploited by firms using pre-ticked boxes and electronic receipts as consent to marketing as a way of increasing their customer base and decreasing consumer knowledge.

Well, four letters have the potential to shift the power back to the consumer and those four letters are G.D.P.R. You may have only just started to hear the acronym being used or might not be aware of what it even means but organisations all over Europe are currently working on becoming compliant with what is being dubbed the biggest change to data protection law in the last 20 years. 

This article will give you a brief understanding on the EU General Data Protection Regulations (GDPR) and what MJP Conveyancing has been doing to ensure compliance for our clients.

What?

1998; the era of chunky Nokia flip phones and dial up computers. 1998 was also the year that the Data Protection Act was introduced setting out 8 principles governing the use of personal information. Since 1998 we have witnessed technological growth on a scale far greater than we can process resulting in inadvertent cultural trends and an increasing imbalance of power in favour of the producer rather than the consumer.

 Let’s take the Tesco Clubcard as an example. Introduced in 1995, the Club Card was arguably introduced to gain a competitive advantage against its rivals by offering perks to returning customers. Since 1995 however, the growth in technology and types of data collected through the Club Card has enabled Tesco to gain a better understanding of their customers’ shopping habits such as what meals people like to eat, whether people like to cook from scratch or how many people are in the household based on the number of toilet rolls a customer purchases. My point? It is clear to see how data collection and analytics are changing at a rapid pace and there has been a growing need to modernise data protection legislation in order to protect how our data is shared and utilised by organisations.

The General Data Protection Regulation (amongst many other functions) seeks to bring data protection legislation into the 21st Century by protecting the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.  


How?

How does GDPR seek to modernise data protection regulation? There are various ways in which GDPR seeks to modernise data protection laws such as appointing a Data Protection Officer, Free Subject Access Requests and the relationship between data processors and controllers.

One particular modernisation of the GDPR under Chapter 3 lays out 8 rights for individuals, namely:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability 
  7. The right to object 
  8. Rights in relation to automated decision making and profiling.

These 8 rights amongst other things aim to provide individuals with a higher degree of access to their data as well as more transparency around how it is processed. What’s more, the GDPR explains how companies must provide a ‘reasonable’ level of protection which in itself provides the Information Commissioner’s Office with a lot of scope to fine companies who are in breach of these rights under the regulations.  

Another modernisation to the data protection act through GDPR is the mandatory requirement to report Data Breaches within 72 hours to the ICO which was not under the Data Protection Act. Companies such as Carphone Warehouse, Facebook, Under Armour and My Fitness Pal have been in the press recently for Data Protection breaches, but it is not just the big guys that face liability. Small and large companies are under an obligation through Article 33 of the GDPR. With fines as large as €20 Million or 4% of total global turnover as versus maximum fines of £500,000 under the Data Protection Act, not only is GDPR enabling regulatory bodies to clamp down on bad practice, but are also providing clients with a satisfying remedy knowing that their data has not financially benefited business.

Overall, these regulations reflect a changing technological landscape which in turn has required our legislation to impose a greater degree of responsibility for those who control and process as part of their business.

When?

GDPR comes into force on the 25th of May 2018. MJP Conveyancing have been working since December 2017 to ensure full compliance with the regulations. A dedicated team of inhouse staff have worked through a project list and we are now confident that we are compliant with the regulations.

Where?

You may be thinking why I have taken then time to write this article given that the GDPR regulations are a piece of EU legislation and doesn’t apply to us because of Brexit. This is in fact wrong and the UK will have to prepare for GDPR as with all the other organisations within the EU in line with Article 3 of the GDPR .  

To end…

MJP Conveyancing has been working tirelessly to comply with the GDPR regulations having successfully run a re-permissioning campaign, risk assessments and audits, staff training and various policy changes. We feel ready for the regulations and hope to provide our clients with a safe, transparent and reliable service which is really the ultimate aim of these regulations. 

See you on the other side of May 25th!


Written by Emily Chawawa.

MJP Compliance Officer 

Featured post

If it's not broken don't fix it