Data protection questions and answers
No single blog article can do justice to essential data protection questions and answers. However, here, we attempt to help you understand some key issues and we have also put together an Information Security Fact Sheet which you can download freely.
Q. Data protection rules for Europe are being currently strengthened – why and what can we expect?
A. In late 2015, the European Parliament and Council reached agreement on data protection reform designed to strengthen the citizens’ fundamental rights in the digital age and facilitate business by simplying rules for companies in the Digital Single Market. So far, the UK has adopted EU-driven principles on data protection. Brexit aside, there is little doubt that the UK will continue to abide by the same rules and principles that the EU is proposing.
Q. Why are data protection rules changing?
A. Because whilst EU rules are clear, member states have implemented them with subtle differences. With social networking sites, cloud computing, location-based services, smart cards and more data processing, a robust set of uniform rules over what is personal data, how is is stored, used and managed – is required to protect all EU citizens and ensure companies comply.
Q. What are the fundamental points to remember for consumers?
A. Consumers now have the “right to be forgotten”, “easier access to the data held about them online”, “the right to know when their data has been hacked”, “stronger enforcement of personal data rules”. There are also separate rules for children, police and criminal justice workers. And as rules tighten, expectations on businesses – in terms on how they handle, process, manage, access and destroy data, becomes more pronounced.
Q. How does this affect businesses?
A. The reform provides additional clarity and consistency of the rules to be applied and restores trust to the consumer. It can be summarised as; “one continent – one law”, “one standard”, “same riles for all companies no matter what their size, location or when they wrere established”.
Q. How should SMEs interpret impending changes?
A. SMEs do not need to appoint a data protection officer unless data is core to their activities. SMEs need not keep records of processing activities unless processing could have a freedom of information and personal data implication. SMEs will not be obliged to report data breaches to individuals unless breaches represent a high risk for the rights and freedoms of individuals. SMEs do however have to operate according to agreed information security working practices, making staff and all workers aware of obligations and data protection policy.
About the author
Dan Hawtin is Managing Director of The Shredding Alliance – a secure shredding service to BS EN 15713, accredited to ISO 9001. Every year, over 7,500 Public, Private and Central Government customers have their paper and hard drive material shredded. Collectively they recycle over 40,000 tonnes of paper, off-set over 50,000 tonnes of carbon and save over 650,000 trees.