During the past 12 months there has been a great deal of publicity about the European Union General Data Protection Regulation (generally abbreviated to EU GDPR or simply GDPR) and how it is changing the way we handle personal information. The GDPR came into force on 25th May 2018 and applies to all countries within the European Union. Some confusion has arisen, however, because on the same day, the UK Parliament passed the Data Protection Act 2018, known as the DPA. Understandably, questions have been asked about why two pieces of legislation came into force on the same day, and why the UK needs its own Act if it’s already regulated by the EU?
The DPA – Local Application of a European Regulation
In fact the two acts are entirely intertwined. The job of the Data Protection Act is to set out the framework for data protection law in the UK, including the way in which the GDPR is implemented here. The DPA also sets out the functions and powers of the Information Commissioner, who is responsible for data protection nationally. It outlines any exemptions and extends data protection to some other areas such as national security and defence.
What’s the Difference?
The GDPR has direct effect across all EU member states, so organisations handling EU data have to comply with it. However, there are some areas that the GDPR does not cover. It sets out the rules for most processing and handling of personal information – but it does not apply to processing for law enforcement purposes, or to areas outside EU law such as national security or defence. The areas that the DPA covers additionally include data processing in the following areas:
- The immigration of non-EU citizens
- Criminal law enforcement
- The UK intelligence services and national security
The Overall Principles for Contact Centres…
In terms of the rules that must be followed, there is no difference between the EU GDPR and the UK DPA. The overall principles are that personal information must be:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
Make sure to pay particular attention to your call recordings as these can contain troves of sensitive customer information, which can pose a major hazard for a data breach.
…And for Customers
The principles above mean that individuals have far more control over their data. If you are handling customer information, you should be aware that you are now obliged to comply with any of the following requests:
- inform a customer about how their data is being used
- give them access to personal data (this can no longer incurs a charge)
- update incorrect data
- erase all data relating to a particular customer
- stop or restrict the processing of their data
- provide them with data portability (allowing them to obtain and reuse their data for different services)
So, What Does This Mean in Practice?
The Threat of Fines Is Real…
The big concern for most organisations has been the threat of fines. The level of fines imposed in the UK is in the hands of the Information Commissioner’s Office, but they can go right up to the limits set by the GDPR – and these are high. They can be equal to 4% of your annual turnover – or 20 million euros – whichever is higher. This is a huge increase from the previous Data Protection Act, for which the maximum penalty was £500,000. You may also be required to pay damages to customers or employees whose data has been stolen.
…But the ICO Isn’t Out to Get You
In spite of a great deal of media hype about these penalties, the ICO has repeatedly stated that it would not make early examples of organisations for minor infringements of the GDPR – and that the maximum fines would be imposed only in exceptional circumstances. So far this has proved to be correct. That is not to say that the ICO will not take action where required: some of the major data breaches reported last year are widely expected to incur some significant fines.
What Should You Do?
In the event of a data breach the ICO will take into account the efforts you have made to protect personal information. No organisation can make itself 100% hack-resistant, but following the guidelines will take you a long way in the right direction.
As a first step, if you handle significant volumes of data, you need to appoint a Data Protection Officer. This needn’t be a full time position – it could even be an external consultant – but you must have a named person whose job it is to make sure that you are following the rules. This person will be responsible for managing data protection and data privacy and must be free to give recommendations and feedback without fear of negative consequences.
You should also review any partnerships you have with organisations that are handling personal information for you. It’s no longer an option to pass the responsibility on to someone else – you will be held accountable for any breaches of an organisation or individual processing data on your behalf. This also applies to organisations outside the EU if the personal information relates to EU citizens.
In the event of a data breach, make sure that you follow the approved procedures – all breaches must be reported to the ICO within 72 hours. This doesn’t mean that you will automatically receive a fine – the ICO will take a measured view of minor breaches and may take no action at all – so don’t be tempted to keep it quiet. You are likely to be in more trouble for failing to report it.
If you are already GDPR compliant, then you have nothing to worry about from the DPA. If not, then take a look at our GDPR guide for contact centres to find out what action you need to take.