Data Protection by the Numbers

Who, What, Where, When and Why?

What Year Was the Data Protection Act Introduced? The last several years have seen substantial changes in the area of data protection, perhaps most notably with the introduction of the European Union’s General Data Protection Regulation. After years in development, GDPR was introduced across EU states on the 25^th May 2018. If you're in the UK however it is also important to know what year was the data protection act Introduced, what you can do to abide by it, and what it means for your organisation.

Having been adopted on the 14^th April 2016 and becoming actively enforceable in 2018, GDPR was incorporated into UK law in the form of the Data Protection Act 2018. As with each of the European states, GDPR was adapted in various ways to suit individual nations, but with the foundations and minimum standards remaining the same across the region.

Addressing twenty years of data protection development, the legislation not only imposed new responsibilities for organisations, but also strengthened the rights of citizens whilst also empowering regulatory authorities to levy bigger than ever fines.

As with authorities across Europe, the UK’s Information Commissioner now has the power to fine organisations up to 4% of annual global turnover or 20 million Euros, whichever is greater, for failure to comply with data protection regulation.

In the first year following the introduction of GDPR (May 2018-2019), enforcement authorities received an astonishing 200,000 data breach notifications, with fines issued totalling around €56m, the majority of which coming for a single penalty levied against technology multinational Google.

Principles and Rights

With its roots stretching back many decades, GDPR is only the latest in a long line of data protection legislations. The seven principles of the DPA 2018 and GDPR replaced the eight principles previously established by the DPA 1998.

Though largely similar, the ‘accountability’ principle is often presented as being the important addition to generally ubiquitous standards regarding data protection. Holding organisations explicitly responsible for their respective personal data, this new level of accountability also makes it essential that organisations are not only compliant, but document and make demonstrable their compliance in the process.

7 Principles of Data Protection

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability

Individual Rights Under GDPR and the DPA

The right to be informed – Individuals have the right to be informed as to how personal data is being collected, how it is going to be used, for how long it will be retained, the purpose of its processing and with whom it will be shared.

The right of access – Ensuring individuals can confirm with entities that their data is, or is not, being processed, as well as having access to said data, as well any information relating to automated decisions being made as a part of the processing, and a timeline of data retention.

The right to rectification – Data subjects are entitled to have whatever personal data is being held on them rectified, to be up to date, accurate and complete, with organisations taking reasonable measures to ensure data meets these standards.

The right to erasure – Sometimes known as the ‘right to be forgotten’, the right to erasure allows data subjects to request the removal or deletion of data when there is no compelling reason for its continued processing.

The right to restrict processing – ‘Processing’ being the acts of performing operations upon data (including, the viewing, altering or deletion etc. of data), individuals may block or supress processing for several reasons. The most common of which being, inaccurate data, unlawful processing or direct marketing.

The right to data portability – This allows individuals access to request their data in a machine-readable format, essentially allowing people to reuse their personal data across different services.

The right to object – This allows data subjects to halt the processing of their personal data, whilst also obliging organisations to inform customers/data subjects as to this right at the first point of communication.

Pre GDPR Case Study

EE Vs. Information Commissioner’s Office

In June of 2019, the UK’s Information Commissioner’s Office fined telecoms company EE Limited £100,000 for infringing upon data protection regulations, in the form of 2.5 million marketing messages.

The ICO found that EE had failed to obtain consent for these communications, despite claims from EE that the messages in question were in fact service messages, and therefore not subject to the same rules as direct marketing messages.

Disagreeing with EE’s assessment, the ICO concluded that they were indeed in violation, with Andy White (ICO Director of Investigations) stating: “These were marketing messages which promoted the company’s products and services…EE Limited were aware of the law and should have known that they needed customers’ consent to send [the messages]”.

What is a ‘Data Breach’?

When we hear the phrase ‘data breach´ it’s easy to think about hackers in dark rooms, extracting confidential information, like the cat burglars of the computer world, and although that situation may indeed be a breach, the term actually encompasses a whole lot more.

In professional and legislative data protection language, a data breach also includes the accidental or unlawful loss, unauthorised disclosure, destruction, alteration of, or access to, personal data of all kinds.

Though there may be external components or actors, as with the case of a ‘hack’, a data breach, for which you can face significant fines, can be an incident as innocuous as lost USB drive – depending on what its contents is and how it’s stored.

Comply or Face the Consequences

As noted, the failure to comply with current data protection standards and legislation can now land organisations with previously unprecedented fines. For any breach of the DPA, companies or any party responsible for personal data, can now face fines up to 4% of annual global turnover, or the equivalent of 20 million Euros, whichever is larger.

The new powers of the Information Commissioner also establish a tiered system of penalties, with the above stated referred to as the ‘higher maximum’, and 50% of those figures counting as the ‘standard maximum’.

With it still being early days in the GDPR journey, how fines will be formalised and calculated is an ongoing project across Europe and the UK. Thus far there have been several notable fines levied, and though the consistency and accuracy with which regulatory authorities assign penalty value is currently not quite perfect, penalties for noncompliance are a grave warning to any organisation handling personal data.

Although not all the nuances of data protection enforcement are entirely and completely established, what is clear, is that compliance with modern data protection regulation is business-critical for any organisation operating with personal data, and information security can no longer be ignored.

Post GDPR Case Study

Google Vs. The French Data Regulator (CNIL)

In early 2019, the search giant Google was fined 50 million Euros, or £44 million, by the French regulatory authority, the CNIL. Levied as a result of a breach of GDPR, the CNIL explained the fine as being the results of a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.”

Coming as a response to two complaints filed in May of 2018, the regulator noted that Google had failed to sufficiently inform users as to how collected data was being used to personalise advertising, nor did they provide users with enough control through the consent process; hence failing to comply with the aforementioned ‘transparency principle’.

Though 50 million Euros may seem like an enormous fine, considering Google’s 2018 global annual turnover, had it been deemed necessary, it would have been theoretically possible for the CNIL to fine the search behemoth a staggering 4.9 billion Euros.

Information Security Awareness

With the responsibility to keep personal data falling entirely upon data processors and controllers, it has never been more important to take information security seriously. Researching data protection and knowing what year was the data protection act Introduced is only the first step in securing your organisation. With 90% of all organisations being targeted with information security attacks in 2019, and many of the thousands of successful attacks being easily avoided, poor information security cannot continue.

Threats coming not only in the form of malicious insiders, many of the breaches happening are in fact facilitated by negligent and under-educated members of staff. When 77% of all UK workers have never received any form of infosec training from their employer, it’s unsurprising that the cost of breaches continues to rise.