General Data Protection Regulation (GDPR) &
UK Data Protection and Digital Information Bill 2024
Everyone has heard about the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679:
https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en
which came into force on May 25, 2018. The fines are large and you will have to comply. Like any official document, it is written dryly and can be interpreted in different ways. Over the past few years, we have analyzed a numerous web systems for compliance with the GDPR, and found inconsistencies in many of them. Because of this, the purpose of this article is not to explain what GDPR is (a lot has been written about this already), but to give practical advice to technical people on what needs to be done in your system to become GDPR compliant.
Here are some interesting points about the regulations:
•If there is at least one customer from Europe whose personal data you store, you are automatically subject to the GDPR
•The regulation is based on three main ideas: protection of personal data, protection of the rights and freedoms of people in protecting their data, restriction of the movement of personal data within the European Union (Art. 1 GDPR)
•While the UK was still in the EU, it was subject to the GDPR; after Brexit, the GDPR was replaced by the UK Data Protection Bill, which is very similar in essence to the GDPR (https://ico.org.uk/media/2614158/ico-introduction-to-the-data-protection-bill.pdf) and is followed by the New version, known as Data Protection and Digital Information (No. 2 Bill) in March 2024 (https://www.gov.uk/government/news/british-businesses-to-save-billions-under-new-uk-version-of-gdpr).
•The transfer of data to third countries is seriously limited. The European Commission determines which “third” countries or which sectors or organizations in these countries are permitted to transfer personal data. (Art.45 GDPR). Here is a list of allowed countries and organisations: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).
•It is clear that no one will simply let the supervisory authority inside the system, which means that it is only possible to demonstrate how great the security of the system and processes is “on paper.” If the security of processes, systems and personal data is not documented, then the company is not GDPR compliant. “The controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” (Art. 24 GDPR)
A few specific points that may require the involvement of lawyers:
•Processing of ‘special data’ (Art. 4 GDPR) is prohibited by default. The collection of personal information regarding health, sexual life and orientation, biometric and genetic data, philosophical and religious beliefs is prohibited (Art. 9 GDPR), except in cases described here: Art. 9 GDPR
•If the controller or processor is not registered in the EU area, then an official and documented representative must be appointed in the EU (Art. 27 GDPR)
•All subcontractors with whom the data controller works, no matter where they are located, must also comply with the GDPR, and appropriate changes must also be made to the contracts (Art. 28 GDPR)
•The subcontractor has no right to use the services of another subcontractor without the written consent of the data controller (Art. 28 GDPR)
•There are serious restrictions on data transfer, so it worth familiarizing yourself with all transfer conditions if data is sent or stored outside the EU (Chapter 5 GDRP)
•Data Protection Officer. This role is required if ‘special category of data’ is processed or data processing is carried out by a public authority (Art. 37 GDPR)
•United Kingdom. Information Commissioner’s Officer (ICO) registration
•Ordinary users can send their questions and complaints regarding their data processing violations in a particular company here: https://ico.org.uk/make-a-complaint/ – investigation and possible proceeding will be carried out
•Companies should also report hacks and leaks of personal data here: https://ico.org.uk/for-organisations/report-a-breach/
•Not all organizations are required to register and pay annual fees with the ICO, but those who processes personal information, unless they are exempt: https://ico.org.uk/for-organisations/data-protection-fee/
Useful links:
•Data Protection in the EU Official Page (incl. Regulation): https://commission.europa.eu/law/law-topic/data-protection/data-protection-eu_en
•UK Information Commissioner’s Office (ICO): https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/
•New UK Data Protection and Digital Information Bill 2024 Release: https://www.gov.uk/government/news/british-businesses-to-save-billions-under-new-uk-version-of-gdpr