You may see or hear about GDPR on a regular basis. Whether you are signing up for a newsletter, a social media platform or submitting important documents for something such as a product on finance, it is present at all times in our day-to-day lives.
GDPR is an abbreviation for General Data Protection Regulation and is the toughest privacy and security law in the world. While it was originally passed by the EU, it is used globally by most businesses and organisations, so long as they target or collect data related to people in the EU.
As a result of Brexit, the UK stopped being part of the EU and no longer fell into the protection zone. To prevent this from happening, in 2018 the UK government published an update to its 1998 Data Protection Act called the ‘Data Protection, Privacy and Electronic Communication’ Regulations.
Every organisation that holds and processes personal data for a business or other non-household purpose must comply with the set regulations in place.
What is ‘personal data’?
Personal data means information about a particular identified or identifiable living individual. If it is possible to identify an individual from the information you are processing, it is highly likely to be personal data.
The UK GDPR provides a non-exhaustive list of identifiers, including:
- identification number (e.g. National Insurance number, passport number);
- location data; and
- an online identifier (IP addresses and cookie identifiers which may hold personal data).
While a name is provided on the list of identifiers by the UK GDPR, it is the most common means of identifying someone. With just a name to go from, there may be a need to have a combination of identifiers to fully confirm the identity of an individual — you don’t have to know someone’s name though for them to be directly identifiable.
Why is GDPR important?
GDPR is important because it sets out rules for how personal data must be collected, processed, and stored by organisations. It gives individuals more control over their personal data and imposes stricter obligations on organisations to protect the privacy of individuals.
If an organisation does not comply with GDPR regulations when storing personal data, they put the individual at risk of not only being identified but also financial and identity theft — spam calls and emails may also become more frequent to the point of causing stress to the victim.
What could put my data at risk?
While organisations have a duty of care to implement security protection over the data it holds, it does not exempt them from data risks.
The key data risks are:
- Data breaches – hackers steal or corrupt information stored on a company server or database;
- Data loss – when an organisation loses a laptop or USB drive containing data;
- Data manipulation – when an organisation’s internal staff change some of the information to benefit themselves or others;
- Data exposure – organisations are not only collecting data about a person but also exposing it. This includes unauthorised access to sensitive information like personal identifiable information, financial information and more;
- Data corruption – corruption is a serious problem in the world of IT. It can happen due to many reasons such as hardware failure, software malfunction, or virus attacks.
To avoid the above happening, organisations must mitigate the risk so the likelihood of it happening is low. The best way to manage data risk is by planning ahead of which data will be accessed, by whom, and how it will be shared and collected.
The four main ways to manage the risk include encryption, storing backups of data, having strong passwords and activating firewalls which restrict access to devices where the data is held.
Organisations may choose to put in place a privacy management framework. This can range from ensuring staff have a good level of awareness and understanding of data protection, keeping records of what is done with data and why to introducing robust program controls informed by the requirements of UK GDPR.
My data has been taken, what happens now?
If something does go wrong, the organisation should inform the ICO (Information Commissioner’s Office) and the person(s) affected within a reasonable timeframe — a breach does not need to be reported, but there needs to be justification for the decision. The ICO will start an investigation to see how it happened and what the organisation had in place to prevent this from happening.
The less compliant an organisation has been, the higher the risk of being fined and suffering reputational damage.
Regardless of the findings, GDPR gives you the right to claim compensation as a result of the organisation breaking data protection law. This includes both “material damage” (financial loss) or “non-material damage” (e.g. you have suffered distress).
You do not have to make a court claim to obtain compensation – the organisation may agree to pay you. However, if they do not agree to pay, your next step would be to make a claim in court. The court would decide your case on whether or not the organisation would have to pay you compensation.
This is where we step in.
Court proceedings can be costly and without the correct legal advice, your chances of success could be lower than with legal advice. Barings Law is currently taking on multiple data breach claims against organisations that have been hacked, and even sold data to third-party companies.
If your data has been stolen or sold, we will act on your behalf on a no-win no-fee basis.
All you have to do is submit a quick 2-minute form by following this link.
Once our legal experts have conducted a report to see if you have a valid claim, they will be in contact to get the ball rolling.
It’s as simple as that, and if you are still unsure, you can view our reviews from clients who have had successful data breach claims with us.