CCPA regulations. The fourth set of proposed modifications
Following previous modifications in October 2019, and in February and March 2020, the latest updates landed in December, delivered by the California Department of […]
Data protection is at the heart of what our PrivacyRun system has been designed to manage. But what is it, exactly? And how do the laws, legislation, bills, and breaches of the Data Protection Act and GDPR affect your business?
Well, hopefully, we’re about to answer all of your questions. For further, more specific issues that our introductory guide doesn’t cover, we’d love to hear from you. Our team are experts in the field and will happily guide you through all aspects you don’t quite understand and show you how our PrivacyRun package manages them for you.
Data protection is designed to ensure that anyone sharing information with a business or organization is protected and that their data will be used and held responsibly and legally.
Data protection law is the combination of legislation and regulatory acts and bodies that govern how your information is collected and utilized. The Data Protection Act is one part of the legislation. The other key area is GDPR (General Data Protection Regulation), the most comprehensive data protection legislation worldwide.
The DPA protects us from our personal information getting into the wrong hands. We share so many sensitive details with different vendors and providers that we want to stay private. The act’s job is to make sure they stay that way.
The Data Protection Act (DPA) is a UK Act of Parliament, passed in 1988, to develop the control of our information.
The DPA is monitored and regulated by the Information Commissioner’s Office (ICO). The ICO offers advice and guidance, promotes good practice, manages audits, reports, complaints, and breaches, also delivering enforcement and action where required.
GDPR, the ICO and the Data Protection Act sets out a range of key principles for lawful personal data processing. So, what are the 7 data protection principles?
These principles dictate how businesses and organizations collect, organize, structure and store our information. They also detail their proper communication, removal and destruction. They also cover what happens when anyone breaks those rules.
The DPA covers the processing of all personal data relating to a living individual (also known as the data subject) that can be used on its own or with other information, to identify them.
It covers data held electronically or as a hard copy, and wherever it’s stored.
Personal data includes the more typical types of private information, for example, a subject’s name, address, medical, and banking details.
Sensitive data digs a little deeper, including such information as race and religion, political opinions, criminal activity, your sex life, and more.
According to the ICO:
“A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.”
This definition covers a vast range of possible incidents—from accidental delivery of personal data to incorrect recipients and unauthorized access by a third party to loss of hardware containing personal data, and the loss of availability of any data.
There are also different guidelines and regulations for different types of service providers. You can find more information about each area and how to react to a data breach in each of them on the ICO website.
If you suffer any kind of breach, then you have to decide whether you need to report the problem. Not all breaches need reporting, so the ICO provides a self-assessment form to help data controllers determine whether they need to register each incident or not.
For all incidents that need reporting, they must be presented to the relevant supervisory authority within 72 hours of the event discovery.
If the event is likely to present adverse effects on its data subjects’ rights, the business must inform those individuals without undue delay.
Of course, each organization must ensure that they have appropriate systems to limit any breach risk. Such a system should include breach detection, investigation, and internal reporting procedures.
The ICO has the power to prosecute all offences. They deliver a range of fines and even prison sentences for deliberate breaches. For issues that can be rectified within the law, enforcement notices are provided and should be carried out accordingly.
The prosecutors consider various criteria before delivering each fine. They include the nature, gravity, duration, and character of the infringement. They also examine the type of personal data affected and any previous violations. Finally, the punishment can also reflect how cooperative the business has been throughout the process.
The data subjects can also claim compensation for damages due to a breach. So, as well as being fined by administrators, data controllers and processors are vulnerable to being sued by individuals. Those data breach costs just keep on growing!
The ICO can issue fines of up to £500,000, yet it’s GDPR that delivers the biggest fines.
For the most serious GDPR violations, fines can reach a maximum of €20 million or 4% of the organization’s total annual worldwide turnover.
For less serious breaches, the maximum fine drops to €10 million or 2% of the organization’s worldwide turnover. That’s still quite a fine to face, however big your business operations are.
As you can see, the fines are considerable—and so they should be. Our data and its protection need managing with the highest respect and security. Such substantial fines should hopefully reflect the serious nature of any inaction, the consequences of what happens if you breach the Data Protection Act, and the importance of implementing the right system to avoid them.
Each business or organization must appoint a data protection officer to manage their data protection processes. That includes the personal data of its staff, customers, providers, and any other individual in compliance with the various data protection regulations.
A data protection officer will be hired based on their expert knowledge of the subject, as well as their personal and professional qualities. Understanding how their specific business/organization operates and handles the different data types within their system is also a key factor.
A data protection officer ensures that controllers and subjects are informed of their rights, obligations and responsibilities. They deliver advice and recommendations to the business about the interpretation and application of the rules and register operations with the correct institutions.
Data managers, controllers, and officers need to understand precisely where their business or organization could be falling short of the Data Protection Act or GDPR. A risk assessment can highlight areas where your system doesn’t incorporate the appropriate protection levels for your data subjects.
Risk assessment is another key area covered by the ICO. They provide data protection impact assessments (DPIAs) to help businesses systematically analyze, identify and manage the data protection risks of any project or plan. The key word here is ‘help’. They don’t guarantee to eradicate all risk, but they help minimize risk to an acceptable level.
There are data processing areas that automatically demand impact assessment, and areas that the ICO considers likely to result in high risk. For further information, check out the relevant pages on the ICO website.
In this context, risk debates the potential for significant physical, material or non-material harm to individuals. An assessment evaluates the likelihood and severity of any potential harm to individuals.
Risk implies more than a remote chance of some harm.
High risk implies a far higher threshold. It could result from more severe damage, or greater chances of being put at risk—or both.
DPIAs are both flexible and scalable, so suit all sectors and projects. The importance of running regular risk assessments, or an IPO impact assessment, should be obvious. Just consider the fines you could be subject to, and then the added repercussions of failing to provide adequate data security and management systems. You’d be remiss not to have every angle covered.
We hope the above FAQs deliver an enlightening introduction to what personal data is, the Data Protection Act, and what happens if you break the Data Protection Act law.
Having a system in place that manages every angle according to the requirements of the ICO and GDPR is vital in today’s business. Fortunately, we’re here to help you every step of the way, so why not drop us a line to find out how we can provide you with the ultimate protection today?