As a company, we often receive questions relating to data protection concerns and it is clear that some operators have not got to grips with their obligations.
It is also apparent that some local authorities do not fully understand their responsibilities either, and data protection legislation is occasionally used to support a blanket refusal to discuss certain information.
Crucially, GDPR is about personal data and while this can be fairly broad in scope, the information must relate to an identifiable/ identified person.
There have been a number of high profile cases over recent months and it is clear that personal information is a valued commodity.
Example fines include a £400,000 penalty applied for sharing the personal data of more than 14m individuals and a £145,000 fine applied to a London Borough Council for disclosing personal information of over 200 people. It is worth noting that the severity of the council’s fine was significantly affected by the nature of the failings in that particular case.
Yes, the potential fines under the new regulations are significantly greater than previously, but large penalties are generally only applied to significant, large scale breaches where operators fail to provide appropriate protection.
I appreciate that this is a rather dry subject but many experts have confirmed that the new legislation was an ‘evolution and not a revolution’.
Many of the core principles under the old law were retained, such as the requirement to understand what personal data you hold, ranging from customers to employees, how it is securely stored and how long you keep it.
Fundamental principles relate to accountability and transparency, and operators should review their internal policies and procedures.
All assessments and decisions should be recorded to ensure you can respond quickly to any potential data breach and evidence your efforts to manage and protect the personal information you hold.
A good starting point is to consider how your personal information is used by other parties, is it secure and ‘am I informed about my rights?’.
The Morning Advertiser has previously published Top Tips and advice focusing on detailed action points for consideration. Our advice last year was and still is ‘don’t panic’. GDPR is a perfect reminder for us to purge old and irrelevant information and improve operational practice.
The ICO continues to publish guidance on its website and is always willing to provide advice.
For any legal enquiries please visit Poppleston Allen's website.