GDPR & DPIA 2018
The GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018).
The DPIA 2018 applies to all organisations that process personal data. Therefore first we need to consider what is ‘Personal Data’?
Personal data is basically an data/information which links directly or indirectly to a living person!
This includes names, email address, IP addresses etc.
So if your organisation is processing personald data then it must make sure that it complies with the 5 key principles and it is in a position to respond to all the data subject rights!
So what are the Key Principles?
You comply with the following principles:
What is the lawful basis for processing personal data?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
Will GDPR be affected by Brexit?
The GDPR will make significant changes to European data protection law.
It will strengthen existing regulations and extend obligations from controllers to data processors.
Even after Brexit, UK businesses which market their products and services to citizens of EU countries will need to comply with the GDPR. Even if they are only dealing with EU businesses, as long as they process any personal data of individuals who belong to EU member states, they will still need to meet the GDPR requirements.
What should you or your organisation do?
Note that many Personal Data Breaches occur due to Human Error – cover your liability!
The payroll data had been supplied by Morrisons to its external auditor, KPMG.
A senior IT Auditor, Andrew Skelton, copied the personal data onto a personal USB device. A year before he had a grudge against the supermarket and wanted to create significant harm to the company.
He did so by posting the payroll data online on a public file-sharing website. Once the press made Morrisons aware of the breach, the supermarket acted swiftly to get the website hosting the data taken down.
As a result of Andrew’s actions in 2015 he was jailed for eight years for fraud, unauthorised access of a computer and disclosing personal data.
In Various Claimants v WM Morrisons Supermarket – the court found Morrisons vicariously liable for Andrew’s actions and will likely be ordered to pay damages to affected employees.
In certain circumstances – the Employer may also vicariously liable which means that they are liable for their employees actions!
How can Employees become GDPR Aware?
By enrolling on LCATE’s online Employee GDPR Awareness Certificate Course.