GDPR: data security four years on

Bruce Penson, the managing director of cyber security and IT support company Pro Drive IT, outlines how GDPR has changed in the UK since the Data Protection Act of 2018.

If you work with data in any shape or form, you should be familiar with GDPR: the General Data Protection Regulation.

GDPR is a framework in European Union (EU) law designed to standardise data privacy laws across EU member countries in Europe, regulating how businesses share information and improving protection for consumers. This mutually agreed legislation came into play in 2018 to replace previous data protection rules across the continent, which had existed long before data was created and shared at the scale it is today.

On the same day in 2018, the UK government published a new Data Protection Act (DPA) — a legal framework governing personal data and the flow of information in the United Kingdom. Like the EU GDPR, this law updated the existing Data Protection Act of 1998 and came into effect on 28 May 2018.

Much has changed since these frameworks were first announced, and the guidance for data protection has evolved as a result. Consequently, even if your business was compliant when the GDPR legislation was first published, that doesn’t mean that it still is today.

So, how have the rules changed, and what must businesses do to ensure they aren’t falling short of the mark?

What’s the purpose of GDPR?

According to GDPR laws, all organisations that process personal data must comply with data protection legislation, regardless of their size.

Simply put, personal information is any information that someone could use to identify a living person, including names, email and home addresses, identification numbers and IP addresses.

GDPR and the DPA 2018 state that organisations must have a clear purpose for collecting personal information and allow individuals to review, amend or challenge data processing practices. Furthermore, businesses must implement appropriate security measures to mitigate against cyber attacks and data misuse and disclose any security incidents involving customer data.

The size of a business will determine the extent of its GDPR obligations. The Information Commissioner’s Office (ICO), responsible for upholding information rights in the public interest, may grant exemptions case-by-case. Exemption from GDPR is dependent on a company’s ability to prove that compliance with UK GDPR will prevent, seriously impair or prejudice the achievement of processing purposes. However, businesses shouldn’t routinely rely on exemptions.

Failure to comply with GDPR can increase a company’s risk of experiencing a data breach and the reputational and financial damage that follows. What’s more, it can lead to hefty compliance fines. So, it’s in business leaders’ best interest to ensure they achieve and retain GDPR compliance for their organisation.

How has GDPR changed since 2018?

In the context of data protection, one of the most significant events that have occurred since the original legislation was released is the United Kingdom leaving the EU.

The DPA 2018 incorporated EU GDPR and passed before Brexit legislation came into effect. As the DPA 2018 was constructed and intended to be read alongside the EU GDPR, which no longer has domestic application here, it’s since been adjusted to reflect the post-Brexit changes to domestic data privacy laws.

The amended ‘UK GDPR’ and DPA 2018 apply to UK organisations that store, collect or process personal data pertaining to individuals residing in the UK and to non-UK organisations that offer goods or services to UK residents. Alternatively, the EU GDPR only applies to organisations and individuals living in or trading with countries in the EU.

Overall, the fundamental principles, rights and obligations associated with GDPR haven’t changed. However, some differences between the UK and EU GDPR have already impacted businesses — or are likely to soon.

The government’s 2021 data strategy consultation, ‘Data: A new direction’, outlined aims to simplify policies from the EU GDPR, reducing regulatory burdens on businesses and incentivising organisations to invest more effectively in data protection. These proposals suggest changes to data protection recommendations for accountability frameworks, artificial intelligence and machine learning, legitimate interests, direct marketing and more.

The future UK data protection framework will favour a more risk-based approach and permit greater flexibility for businesses. Once implemented, these amendments will influence the way organisations are required to record and assess data privacy.

Why should businesses stay up to date with UK GDPR?

As the needs and demands of the digital world continue to evolve, legislation concerning data protection is constantly changing.

The ICO regularly publishes updated guidance for various data protection applications, as controllers and processors manage ever-increasing volumes of personal information.

For example, the Privacy and Electronic Communications Regulations (PECR), which also sit alongside the DPA 2018 and UK GDPR and give people specific privacy rights concerning electronic communications, were amended six times between 2004 and 2018.

In the EU, the PECR directive was due to be replaced by the ePrivacy Regulation (ePR) in 2018 — an update intended to clarify how website operators should handle the use of cookies and complement GDPR. However, the implementation of this regulation has been delayed and isn’t expected to come into force before 2023.

It’s not yet known whether the UK will fully implement the ePR’s requirements. Still, as UK companies are likely to continue doing business in EU countries, this legislation may impact UK businesses. So, understanding and following UK GDPR and DPA rules are crucial for any business that handles personal data.

For professional services industries such as accountancy, finance and law that regularly deal with large volumes of sensitive data, the risk and cost of a cyber attack are high. Solicitors and accountancy firms are likely to be considered ‘controllers’ of data; they’re responsible for determining how and why personal data is processed.

As such, it’s recommended that businesses seek the advice and support of a GDPR consultant that can make organisations aware of the latest legislation and ensure they are meeting their obligations under new laws.


Explore more