News

news images Secure Equation and GDPR

Data security is always the MegaNexus number one priority. We have been the market leaders for secure data partnerships for more than ten years, with zero data breaches and zero vulnerabilities.

And, as the market leader in secure databases, we take any changes in legislation extremely seriously, and we work hard to ensure that any of the data we process on behalf of our clients is subject to the same vigorous controls and security accreditation that you have come to expect.

... Read More

Data security is always the MegaNexus number one priority. We have been the market leaders for secure data partnerships for more than ten years, with zero data breaches and zero vulnerabilities.

And, as the market leader in secure databases, we take any changes in legislation extremely seriously, and we work hard to ensure that any of the data we process on behalf of our clients is subject to the same vigorous controls and security accreditation that you have come to expect.

The newest challenge to many organisations that deal in sensitive data is the implementation of the GDPR (General Data Protection Regulation), which replaces the Data Protection Directive from May 2018.

The new regulation will bring new compliance rules to any organisation or private company that deals in personal information. The information below is designed to give you a brief overview of this new regulation, and is not legally binding. As each organisation is different, we strongly advise any organisation with queries around the handling of data to consult with specialist legal teams.

So, what is GDPR?

GDPR is an EU-wide, comprehensive data protection law that updates existing EU laws across member states, protecting personal data (defined as any information relating to an identified or identifiable person). The regulation has been brought about by long consultations within the EU in response to rapid technological development; the prolificacy of business operating across borders; and the exponential increase in data that accompany these developments.

Currently, each member state of the EU has its own rules and regulations surrounding this data, meaning that what is defined as ‘secure’ in one place may not apply to another. As data is now more often used across those borders, GDPR aims to define how that data is handled.

GDPR is enforceable in each EU country, and takes effect on May 25, 2018.

Does it still apply even if my organisation operates in only one country?

The short answer is yes.

If you are processing personal data anywhere in the UK, regardless of whether this data is used across any international border, then GDPR applies to you.

What if I get it wrong?

Data protection authorities have a lot of power when it comes to enforcing GDPR, and fines for non-compliance can be very substantial. Authorities will have the ability to fine organisations up to €20million, or 4% of annual global turnover, whichever is higher.

So best not get it wrong then! What do I need to do?

In simple terms, responsibility for the data is split into two distinct ownerships: ‘controllers’ and ‘processors’.

A controller is the entity that ‘determines the purposes, conditions and means of the processing of personal data’.

A ‘processor’ is the entity that ‘processes personal data on behalf of the controller’.

For the vast majority of organisations that deal directly with Sequation, Sequation assumes the role and responsibilities of the ‘processor’, and your organisation assumes the roles and responsibilities of the ‘controller’.

This is because Sequation is the company that is processing the personal data on behalf of the controller. Ultimately, it is your organisation that will determine the purpose, conditions and means of this processing, and therefore your organisation is the controller.

Any data that is collected on a person needs to be held securely and safely, so that it cannot be accessed by anyone without the correct privileges. You may want to think about:

  • Any printed documents that are lying around the office
  • Usage of USB sticks and their distribution / security
  • Old filing cabinets
  • Screens in an open office

 

(please note that this list is not in any way comprehensive – if you are unsure then you are strongly advised to consult proper legal advice)

Any ‘controller’ of personal data must gain explicit permission from the person in order to collate their data. The legislation describes consent as ‘any freely given, specific, informed and unambiguous indication of a data subject’s wishes through a statement or clear affirmative action’. This can be a tick-box on a web-form (cannot be auto-ticked) or a signed document indicating that they have understood what the data is to be used for.

Ok, so just what constitutes ‘personal data’?

Personal data is described within the legislation as ‘any information related to a natural person’ (referred to as a ‘data subject’) ‘that can be used to directly or indirectly identify the person’.

This can apply to, for example:

  • Name
  • Photograph
  • Email address
  • Bank details
  • Posts on social media
  • Medical information
  • Computer IP address

 

What about if our organisation deals with children?

If you need to collate any personal data on a person below the age of 16, then you will now need explicit parental permission in order to do so.

The GDPR legislation allows for member states to alter the age of data consent according to local rules, but in the UK it is likely to remain at 16. In all cases, it cannot be below 13.

Will ‘Brexit’ have an impact (presuming it actually happens at some point in our lifetime)?

If you process data about individuals that crosses any EU border, then the short answer is no: you will still have to comply with GDPR in order to continue to do so.

If you process data solely in the UK, then the short answer is that no-one knows for sure. The process is part of the Brexit talks, and the UK Government has already indicated it will implement equivalent measures or adopt the GDPR in its entirety. The general expectation is that GDPR will be adopted pretty much as is, given that there was a significant contribution to the legislation by the UK Government.

What is a Data Protection Officer and do I need one?

A Data Protection Officer (DPO) is the person within your organisation who is responsible for the implementation and maintenance of GDPR compliance.

You will need a DPO if you are

  • A public authority
  • An organisation that deals with the data of more than 5,000 individuals within a 12 month period

The DPO can be appointed from your current staff, as long as the day-to-day roles of the employee are compatible with data control and there is no conflict of interest. The DPO must be a person that

  • Is able to report to the highest level within the organisation
  • Operates independently and is not dismissed or penalised for performing their task
  • Has access to adequate resources to meet their GDPR obligations

The DPO does not need to have any specific qualifications or credentials outside of the above.

Does the GDPR change any other rights for citizens?

The GDPR provides rights to EU citizens in the areas of deletion, restriction and portability.

Deletion, also known as ‘the right to be forgotten’, allows the data subject to require that the controller erases personal data – effectively withdrawing the consent for that data to be used. In all cases, this ‘right to be forgotten’ requires controllers to compare the subject’s rights to ‘the public interest in the availability of the data’.

Restriction allows the data subject to require the controller to restrict the processing of his/her data. A restriction on processing means that the organisation can continue to store the data, but cannot use it.

Portability allows the data subject to receive the personal data they have provided to the controller in order for that data to be used by another organisation. This information must be provided free of charge if requested, and provided in a commonly used and machine readable form (such as a CSV file).

 

If you’re still unsure, you can get in touch with us by clicking here.

Close