GDPR is a robust and valued ‘insurance policy’ for businesses to ensure their DATA SUBJECTS are given legal rights, in or out of business, by ensuring it is compliant under the regulation, and they are fully protected in that process.
However, it will not necessarily provide guaranteed protection against a breach. That can be accidental, or an internal malicious act or a criminal (external hacker) act. If the ‘’car wasn’t insured in the first place’’, the business isn’t covered against a crash, therefore it fails to protect its DATA SUBJECTS.
WHO ARE DATA SUBJECTS? -
Simple!
They are the citizens of the world, in or out of the EU, in the UK, or really any country on Earth.They are importantly all Citizens/People in or out of businesses, equally Employees/Staff, Clients/Customers and Suppliers, who are under the same regulation and protection.
GDPR alone, cannot protect against a breach. But, combined with robust security systems, quality training for users, ensuring their knowledge of use with competent and responsible measures for internal or external, electronic or physical use, are applied and operated under GDPR, it will demonstrate compliance. This also applies to data from overseas companies whose UK business interests are handled here and therefore are subject to UK Law. It is in effect a two-way street regarding data interests.
The Compliant Quality Audit Ltd product
GDPR LITE is specifically designed to work with and for SME’s, Micro businesses and the Self Employed, in line with the Regulations providing professional cover and support for Data Subjects involved in any similar business. We also provide 12 months free cover with guidance and support in ensuring your full compliance.
The GRPR Templates (29) correctly and fully prepopulated, easy to use, downloadable for immediate access, providing a professionally prepared tool that is fit for purpose for any business requiring GDPR compliance for all DATA SUBJECTS. It is inline with GDPR and with the Information Commissioner’s Office current guidelines.
For just £595 + VAT, it is the fully comprehensive insurance policy you need to ensure all DATA SUBJECTS, that are or could be connected with your business are protected.
Notes to Businesses and Data Subjects:
GDPR includes the following (8) rights for individuals/data subjects:
- The right of access;
- The right to erasure;
- The right to be informed;
- The right to object;
- The right to data portability;
- The right to restrict processing;
- The right to rectification; and
- The right not to be subject to automated decision-making including profiling.
The GDPR 6 Principles of any Data Subjects Personal data must be:
- Processed fairly, transparently and lawfully
- Collected for legitimate purposes
- Relevant, pertinent, unambiguous and necessary
- Up-to-date and accurate
- Stored only if necessary
- Secure and confidential
Keep a record of the personal data you hold and why that may include:
- Personal data you hold e.g. names, emails, financial information
- How you got this e.g. a customer form, staff application forms
- Why you have this information
- How long you’ve had it
- Whether you still need it – if not, this is an opportunity to delete it
- If you share this information with other organisations, or
- If the information you have is ‘special category data’, such as health records or information about someone’s race or political or religious or sexual orientation
Explanation about Consent – Why, When, How.
- Unbundled: Consent requests must be separate from other T & C’s.
- Active opt-in: Pre-ticked opt-in boxes are invalid—instead use unticked opt-in boxes or similar active opt-in methods, such as a binary choice given equal prominence.
- Granular: Give granular options to consent separately to different types of data processing wherever appropriate.
- Named: Name your organisation and third parties who will rely on the consent.
- Documented: Keep records to demonstrate what individuals have consented to, including what they were told, when/how they consented.
- Easy to withdraw: Tell people they have the right to withdraw their consent at any time and how to do this. It must be as easy to withdraw as it was to consent, meaning you need to have simple and effective withdrawal mechanisms in place.
- No imbalance in the relationship: Consent will not be ‘freely given’ if there is an imbalance in the relationship between the individual and data controller.
March 2019. Example of I.C.O. prosecution success.
The I.C.O. has stated that organisations have been reminded they could face a criminal prosecution if they fail to respect the public’s legal right to access their personal information.
The warning came from the Information Commissioner’s Office (ICO) after housing developer was fined by Westminster Magistrates for breaching data protection laws. The company did not comply with an enforcement notice issued by the ICO and so the regulator prosecuted.
The court heard that an individual had submitted a subject access request on 17 April 2017. A subject access request, or SAR, allows someone to request all the personal information an organisation holds about them.
But the company based in Hazelmere, Buckinghamshire, failed to provide the information within the required timescale of 40 calendar days, consequently the individual complained to the data protection regulator, the I.C.O.
The ICO served an enforcement notice on the company ordering it to comply with the law and provide the requested information.
When the company failed to obey the notice, the I.C.O. brought a criminal prosecution under s47(1) of the Data Protection Act 1998.
It pleaded guilty to a charge of failing to comply with an enforcement notice when it appeared before Westminster Magistrates on 6 February 2019. The company was fined £300, with a £30 victim surcharge, and was ordered to pay £1,133.75 towards prosecution costs.
February 2019. I.C.O. Advice and guidance.
Like everyone in the UK right now the I.C.O. are following the twists and turns of the Brexit negotiations. The sharing of customers’, citizens’ and employees’ personal data between EU member states and the UK is vital for business supply chains, regardless of their size, to function and public authorities to deliver effective public services.
At the moment personal data flow is unrestricted because the UK is an EU member state. If the proposed EU withdrawal agreement is approved, businesses can be assured that personal data will continue to flow until 2020 when a longer-term solution can be put in place.
However, in the event of ‘no deal’, EU law will require additional measures to be put in place by UK companies when personal data is transferred from the European Economic Area (EEA) to the UK, in order to make them lawful.
With very little time left until the UK leaves the EU, businesses, organisations and Data Subjects/Citizens are obviously very concerned.
Myth #1: Brexit will stop me from transferring personal information from the UK to the EU altogether.
Fact:
In a ‘no deal’ situation the UK Government has already made clear its intention to enable data to flow from the UK to EEA countries without any additional measures. But, transfers of personal data from the EEA to the UK will be affected.
The key question around the flow of personal data, is whether your data is going from the UK to the EEA or exchanged both ways? If you are unsure, start by mapping your data flows and establish where the personal data you are responsible for is going.
Myth #2: I have regular customers from Europe who come to my family’s hotel every year – I’ll need a special agreement set up to deal with their personal details.
Fact:
When a customer passes their own personal data to a company in the EEA or the UK, it is not considered to be a data transfer and can continue without additional measures. However, there may be other ways you transfer data, for example a booking agency transferring a list of customers, in this case you may need additional measures.
Myth #3: Brexit will only affect data transfers of UK companies actually exporting goods or services to the EU.
Fact:
Personal data transfers are not about whether your business is exporting or importing goods. You need to assess whether your business involves transfers of personal data, such as names, addresses, emails and financial details to and from the EEA and if this is going to be lawful in the case of ‘no deal’.
It is the responsibility of every business to know where the personal data it processes is going, and that a proper legal basis for such transfers exists.
Myth #4: My business will be fine because there will be a European Commission adequacy decision on exit day to ensure the uninterrupted exchanges of personal data between the UK and the EU.
Fact:
‘Adequacy’ is the term given to countries outside the EU that have data protection measures that are deemed essentially equivalent to European standards. Companies and organisations operating within countries with adequacy agreements enjoy uninterrupted flow of personal data with the EU. But an assessment of adequacy can only take place once the UK has left the EU. These assessments and negotiations have usually taken many months.
Although it is the ambition of the UK and EU to eventually establish an adequacy agreement, it won’t happen yet. Until an adequacy decision is in place, businesses will need a specific legal transfer arrangement in place for transfers of personal data from the EEA to the UK, such as standard contractual clauses.
Myth #5: Our parent company in Europe keeps all our personal data records centrally so I don’t need to worry about sorting any new agreements.
Fact.
Don’t presume you are covered by the structure of your company. In the case of ‘no deal’, UK companies transferring personal information to and from companies and organisations based in the EEA will be required by law to put additional measures in place. Do you need to act now?
There are many mechanisms companies can use to legitimise the transfer of personal data with the EEA and standard contractual clauses is one of those.
You know your organisation best and will be able to use available guidance via the I.C.O. and or Compliant Quality Audits Ltd, to assess if and how you need to prepare. Alternative data transfer mechanisms exist but it can take time to put those arrangements in place.
It is in everyone’s interests that appropriate exchanges of personal data continue whatever the outcome of Brexit. The ICO will carry on co-operating internationally to ensure protections are in place for personal data and organisations have the right advice and guidance.
January 2019. Example of I.C.O. prosecution success.
The I.C.O. announced that a business also known as Cambridge Analytica, has been fined £15,000 for failing to comply with an enforcement notice issued by them.
The company appeared at Hendon Magistrates' Court and pleaded guilty through its administrators to breaching s47 (1) of the Data Protection Act 1998.
The criminal prosecution related to the company's failure to respond to an enforcement notice issued in May 2018, which ordered the company to respond in full to a subject access request submitted by a US-based academic.
As well as the fine, the court also ordered the company to pay £6,000 costs and a victim surcharge of £170
December 2018. I.C.O. Advice and guidance.
Obviously, the basis on which the UK will leave the EU has still to be decided.
The Government has made clear that the General Data Protection Regulation (GDPR) will be fully absorbed into UK law at the point of exit, so there will be no substantive change to the rules that most organisations need to follow.
But, in the case of ‘Cross Boarder Transfers’ (International) organisations that rely on the transfers of personal data between the UK and the European Economic Area (EEA) may be affected.
Personal information has been able to flow freely between organisations in the UK and European Union without any specific measures. That’s because we have had a common set of rules - the GDPR.
But, this two-way free flow of personal information will no longer be the case if the UK leaves the EU without a withdrawal agreement that specifically provides for the continued flow of personal data. If your DATA SUBJECTS information remains in the UK, then you act under the UK GDPR law exclusively.
In this event, the Government has already made clear its intention to permit data to flow from the UK to EEA countries. But transfers of personal information from the EEA to the UK will be affected.
It is known that many organisations have already been preparing in case the UK leaves the EU without a withdrawal agreement in place. This includes those that are involved in transfers of personal data to and from the EEA.
Organisations will need to carefully consider alternative transfer mechanisms to maintain data flows and the guidance available currently through the I.C.O. will help you weigh the options and act if this proves necessary.
Standard Contractual Clauses. Many may decide that one potential solution is to put in place what are known as Standard Contractual Clauses between themselves and organisations outside the UK. Particularly aimed at small and medium sized organisations, current guidelines will help you decide if Standard Contractual Clauses are relevant & minimise the cost to put in place.
Transfers on the basis of a European Commission adequacy decision. The Government has also made clear its intention to seek adequacy decisions for the UK. An adequacy agreement would recognise the UK’s data protection regime as essentially equivalent to those in the EU. It would allow data flows from the EEA and avoid the need for organisations to adopt any specific measures. But any such adequacy decisions will not be in place before the UK leaves the EU. However, organisations need to consider their circumstances and what transfer mechanisms are appropriate.
Next steps. Current available guidance will help organisations plan ahead and ensure that personal data continues to flow. CQA will continue to help all to understand how any future changes in these regulations will affect you and the measures you need to put in place.
November 2018. Example of I.C.O. prosecution success.
A motor industry employee has been sentenced to six months in prison in the first prosecution to be brought by the Information Commissioner’s Office (ICO) under legislation which carries a potential prison sentence.
The employee accessed thousands of customer records containing personal data without permission, using his colleagues’ log-in details to access a software system that estimates the cost of vehicle repairs, known as Audatex.
He continued to do this after he started a new job at a different car repair organisation which used the same software system. The records contained customers’ names, phone numbers, vehicle and accident information.
The ICO usually prosecutes cases like this under the Data Protection Act 1998 or 2018, depending on the individual case. However, in appropriate cases, it can prosecute under other legislation - in this case s.1 of the Computer Misuse Act 1990 - to reflect the nature and extent of the offending and for the sentencing Court to have a wider range of penalties available.
Pleading guilty to a charge of securing unauthorised access to personal data between 13 January 2016 and 19 October 2016, at a hearing in September 2018 he was sentenced at Wood Green Crown Court.
June 2018. Completed GDPR LITE development and launch by C.Q.A. Ltd.
After considerable effort and time, our product was made available specifically for SME’s, Micro businesses and the Self Employed, in line with the Regulations providing professional cover and support for Data Subjects involved in any similar business. We also provide 12 months free cover with guidance/support ensuring your full compliance.