Data protection and thecoming General Data Protection Regulation
James Wickes, Cloudview
Data protection is a fundamental concern to all organisations which hold personal information in the UK. Breaching the Data Protection Act (DPA) would have serious consequences for their business – fines, bad publicity and even criminal sanctions, writes James Wickes, the chief executive and co-founder of Cloudview.
They now need to prepare for even tighter regulations – the General Data Protection Regulation (GDPR), which will come into effect on 25 May 2018, and has been described by legal firm Wright Hassall as the biggest shake-up of data protection law for 20 years.
Why is this relevant? Because any organisation using the IoT will be collecting huge amounts of data from connected ‘things’, and this will all need to be held under the provisions of the DPA and subsequently the GDPR.
The GDPR will be directly applicable in the UK without further implementation, and serious breaches could see organisations facing fines from the Information Commissioner’s Office (ICO) of up to €20 million or 4% of turnover, whichever is higher. It is vital to begin implementing GDPR compliant policies and processes now, as the increased fines will apply immediately.
And there could be even more at stake. In June 2016 the Culture, Media and Sport Committee published its investigation into cyber security. This says: “We concur with the ICO that whilst the implementation of the GDPR will help focus attention on data protection, it would be useful to have a full range of sanctions, including custodial sentences.” In other words, executives whose organisations breach the GDPR could face not only fines but potentially jail.
To understand the implications of the GDPR, we commissioned a briefing note from independent solicitors Wright Hassall. They identified two key issues:
- Organisations whose core activity is processing special categories of data or the systematic monitoring of individuals on a large scale will have to appoint a Data Protection Officer to monitor compliance with the rules.
- Organisations will have to demonstrate that an individual’s consent to the processing of their personal data is ‘freely given, specific, informed and unambiguous’ – in most cases implied consent will not be sufficient.
A good first step in preparing for the GDPR is a Privacy Impact Assessment (PIA). Organisations should consider whether there is a legitimate reason to collect specific information, whether it is stored securely, with safeguards to prohibit interception and unauthorised access, and whether data is deleted when it no longer serves a purpose. They also need to have a documented information retention policy which is understood by those handling data collection.
Most important of all, every business needs to understand that personal data is not just written text, but any type of personal information. This is particularly relevant for organisations using the IoT, where they can be collecting data on all types of things, from how often an individual changes their heating settings to CCTV recordings.
Holding information in the cloud could be an effective solution to ensuring GDPR compliance. Data is retained securely off-site and many cloud systems already have all the required security and encryption. However, IoT organisations still have to take responsibility for ensuring their cloud provider is compliant with the appropriate regulations. They should also bear in mind that many cloud providers have clauses which allow them to share data with third parties – clearly inappropriate for personal data.
Ignorance is no excuse for breaking the law, and this includes data protection legislation. The new legislation comes into force in 18 months’ time, so organisations need to begin preparing now.
More information is available in the briefing note ‘Is your use of CCTV compliant with data protection legislation’ from Wright Hassall, available on the Cloudview website http://www.cloudview.co/dls/white/Cloudview-CCTV-Article-vanilla-23-05-16.pdf