Dejac logo

GDPR...Does it apply to me?

GDPR - This is the boring bit but possibly one of the most important things you may read this week.

If you recall, GDPR is the biggest shake-up in data protection for 20 years and legislates over how your business collects, stores and handles ‘personal data’ from a ‘data subject’.

There are less than 6 months to get your organisation (no matter how small) GDPR compliant.  Let’s take a closer look at the key principals behind the legislation to get an idea of its scope and impact on your business.

The data protection principles within GDPR set out the main responsibilities for organisations. Article 5(1) of GDPR.

“1) personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals
2) personal data shall be collected for specified, explicit and legitimate purposes…
3) personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
4) personal data shall be accurate and, where necessary, kept up to date…
5) personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary…
6) personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

If you study the technical definitions of both ‘personal data’ and ‘data subject’ below, you will see that writing an individual's name and address on a piece of paper constitutes a potential GDPR breach should that piece of paper not be disposed of correctly and in a timely fashion. It sounds ridiculous but the individual's name associated with that postal address makes that data subject an identifiable person which in turn constitutes their personal data.

Let’s look at a more conventional type of data breach with this scenario. Imagine if you printed out every email you have stored in your email inbox and sent items onto A4 sheets. You may have 50,000 sheets of paper, possibly 100,000 or more. Now take that bundle of paper onto a public bus and leave them under one of the seats for someone else to find. This would obviously be a significant data breach as you are releasing thousands of conversations with clients and suppliers into the public domain. This is made more embarrassing when your correspondents would have expected you to have taken all necessary measures to ensure the security of these conversations.

There really is not too much difference between this last analogy and an organisation that uses a sub-standard email provider with weak email passwords on devices that are running out of date (insecure) versions of the Mac OS. I think it would be hard to demonstrate to the Data Protection Commissioner that you "ensured appropriate security of the personal data using appropriate technical measures" (see principal 6 above). One then has to consider scaling this potential data security threat up by the number of devices within your organisation and remember that this data is potentially exposed not just to the fellow passengers on the bus but to anyone in the world with an internet connection and the determination to access it. I haven’t even mentioned any possible backups you may have of this email data, where in the world it is stored, by whom and their GDPR compliance!

Let’s spin this scenario around and take you out of the firing line for a moment. As a private individual wouldn’t you expect your optician to take all necessary measures to ensure your records are secure against unauthorised access? How about your accountant, telephone provider, dentist or even your IT consultant? Even today you would expect them to "ensure appropriate security of your personal data using appropriate technical measures". Everyone is going to have to start looking at data in a different way. I can not think of any organisation that will be exempt from GDPR.

You should be beginning to appreciate that becoming GDPR compliant is much more than buying a few hours of a consultants time and stiffening up your IT security. It is going to have to be a cultural change within most organisations on the way they handle data and raising staff awareness now and into the future on their responsibilities when in contact with personal data. This change must be driven by directors and business owners who should start placing greater emphasis on data protection and security more than ever before.

Dejac Associates Limited can help your organisation with its GDPR journey with further details being released later this week.

Best wishes

Darrin 


Some key definitions as defined by the Information Commissioners Office.


What is ‘personal data’? : “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).” 

Who is a ‘data subject’? : “An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” 

 

Dejac Associates Limited is not a law firm. The material available in this publication/website is for informational purposes only and nothing contained in it should be construed as legal advice. We encourage you to consult with your legal counsel to obtain a legal opinion specific to your needs.