The GDPR (or General Data Protection Regulations) is a new legal framework that will be introduced in May 2018. The GDPR concerns all areas connected with data protection. Previously, the UK had its data protection rules governed by the UK Data Protection Act 1998 (DPA); from 25th May 2018, all companies that collect and process personal and/or sensitive data in any European countries will need to comply by the new GDPR.
The creation and implementation of the GDPR can be seen as a reaction to the advancements of data collection; never before have companies had the ability to capture such large swaths of sensitive, personal information. For this reason, institutions across Europe will be more stringently regulated to ensure that citizens and their personal and sensitive data are given appropriate protection. Thanks to technological advancements, institutions have become extremely savvy in their capturing of personal data; the GDPR introduces improved clarity of what information is included under the definition of personal and sensitive data, such as including IP addresses.
UKCBC had the privilege of attending the Cyber Security Summit and Expo GDPR Conference on Thursday, 16th November. Among the stands, presentations and conferences at the event were two particularly interesting talks. Firstly, Ian Stendera, Head of Customer Success at Ardoq (a ‘software as a service’ data management system), presented his take on the benefits of becoming GDPR compliant in his conference ‘GDPR Compliance is Good for Business.‘
During the short presentation, Ian commented that “GDPR is a problem for the entire organisation,” as opposed to just data managers. Integrating a cross-department approach to GDPR compliance creates a company culture of awareness around data protection. According to Ian, the new guidelines also give companies a great opportunity “to look back at data and streamline their business,” by turning historical, non-compliant information into GDPR compliant data and, in turn, using that data in new analytical frameworks.
Next up was Group Head of Data Protection and Privacy at Sky, Nina Barakzai, with a presentation on ‘New Considerations for Sensitive Data, Regulated Data, Personal Data and Child Data.‘ Nina began the presentation by highlighting some of the professional challenges she faces in relation to GDPR. New rules for minors in the GDPR, for example, create a solid framework around when a person is old enough to give ‘consent’ for their information use. Nina aligned this change with Sky’s volunteering programme where children and young adults are given a chance to experience working life in the world of TV; with the advent of GDPR, Sky would need to address what information is being obtained and for what purpose, as well as if consent has been given for minors. John Carr, Expert Adviser to the European NGO Alliance for Child Safety Online and member of the Executive Board of the UK Council for Child Internet Safety, explains the prior rules for minors regarding data protection in an article for LSE:
“In the legal regime being replaced by the GDPR, established by the Data Protection Directive 1995, the words ‘children’ and ‘age’ do not appear at all. Not once.”
Simply, no age for ‘consent’ was defined in prior rules across European data protection legislation. Under the GDPR, all countries will now have a ‘consent’ age of 16 where a person can give consent to their information to be captured and processed. Under that age, children will need parental consent; how this issue will be tackled remains somewhat of a challenge. One can only hypothesise how sites such as YouTube and Facebook could be affected by this formalisation of consent age.
Nina went on to speak about the GDPR implications for data breaches; her advice? “Don’t call it a data breach until you’re certain that is the case.” This comment is in reference to a new requirement under the GDPR that states there is “a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected.” As well as thoroughly investigating whether or not the “data incident” falls under the GDPR breach guidelines, Nina urged members of the audience to include GDPR breach information in training programmes to create a company-wide culture of knowledge and ownership of what actions and protocols should be taken in a breach event.
Interested in keeping up to date with tech and business industry news? Why not subscribe to UKCBC’s HND newsletter? Interested in becoming a champion of data protection? An HND in Computing will give you the practical skills necessary to succeed in the IT industry. Contact a course advisor today to find out more.