In the modern-day giving over your data is common, whether that be signing up for a points card from your local supermarket or using sites such as LinkedIn. The General Data Protection Regulation (GDPR) recognises that your personal information shouldn’t be free to use by these organisations, so has set rules and regulations to protect everyone’s personal data. During our Rockborne training programme, we were lucky enough to have Simon McDougall formerly the Executive Director of Technology Policy & Innovation at the Information Commissioner’s Office (ICO) join us. He explained to us the principles of GDPR, how often people break compliance and what his role consisted of.
The Data Protection Act 2018 is the UK’s implementation of GDPR and is twofold. Firstly, organisations handling personal data must ensure data is:
- Accurate and kept for no longer than necessary
- Kept lawfully with good security
- Acquired for a specified purpose and used correspondingly (is this the right word)
- Not shared unless this has been agreed
Secondly, anyone has the right to request information that an organisation has about them, including:
- How their data is being used.
- How your data is being processed
- Access their personal data
- Have data erased or update incorrect data
Simon detailed that one of the advantages of GDPR was that the ICO as a regulatory organisation could fine companies much larger sums of money for data breaches, compared to a maximum fine of £500k before, which is not a lot for huge companies. As well as this, the Data Protection Act 2018 has enabled the ICO to intervene more in the misuse of data. Primarily, the actions taken by the ICO would be to initially issue a warning letter, which does stop most abuses of data. However, actions can escalate if data misuse doesn’t cease and can require the ICO to issue warrants, obtain company devices and issue stop processing notices. This seemed shocking to our cohort, but Simon assured us that these actions are rarely required to be deployed and many acts of data misuse are caused by a breakdown in communication within an organisation, cutting corners and being unaware of the laws around data use.
Like many, I was intrigued to hear how COVID-19 affected the concerns of the ICO and how they changed their operations. Whilst Simon said that the breaches from organisations didn’t increase, the way that the ICO had to intervene changed as they learnt to rely on online video calling to talk to people about how they handled their data. Furthermore, as work and domestic life blended the ICO had to think about how they could regulate data use by employers when their employee’s workplaces were now their homes. During Simon’s talk there were many factors that the ICO had to adapt quickly to in order to help protect people’s data, which seemed to be a lot of hard work and long hours!
So, what is next for GDPR? Well, the Data Protection Act is only 3 years old so hopefully organisations will become better at handling data as it becomes more and more important to an organisation. As well as this, I believe that these regulations will have to be updated increasingly frequently as the use of data such as machine learning algorithms become more sophisticated. Furthermore, greater awareness should be made to people around howthey can request information about their data, as I believe people mostly don’t know what information organisations have and how it could be potentially used.
On behalf of the whole cohort, we were so fortunate and grateful to have Simon McDougall talk to us about GDPR and even though we had him for over an hour I’m sure we could have talked all day as we had so many questions and he provided such interesting insights!
Where to next? Read our article on design thinking.