Following the introduction of the Data Protection Act 2018 (DPA 2018), organisations have been subject to modernised and extended regulations that aim to protect personal data for years to come. The Act also expands the rights of the individual (the data subject), clarifying, amongst other things, their right to erasure and right to access data stored about them. Breaches of the DPA 2018, which is the UK's implementation of the General Data Protection Regulation (GDPR), can have colossal consequences for individuals and organisations alike.
Why Is Data Protection Important For Individuals?
The Data Protection Act is designed to keep information safe and offer individuals protection whenever they are asked to disclose personal data. Under the DPA 2018, individuals can hold organisations accountable for storing and processing their data in-line with regulations. The DPA also directs that data can only be used for the explicit purpose that it was obtained. For example, your email address cannot be transferred to a marketing mailing list unless you have explicitly given your consent for this.
Breaches of the DPA could result in fraud and/or identity theft, the crime rate for which is at an all-time high. Identity theft occurs almost exclusively online, and requires only your name, DOB, and address. With this little information, fraudsters can apply for loans and store cards in your name, racking up massive debts, and even bankruptcy. 'Catfishing' has also been the subject of public attention in the last few years, as individuals find fake social media accounts displaying their pictures online, another manifestation of identity theft. For this reason, the privacy policies of networking sites like Facebook have come under scrutiny in recent months.
The DPA 2018 gives individuals legal rights over the personal data that is held about them. These rights are outlined below.
Data subjects have the:
- Right to be informed about the data held on you
- Right to access this data
- Right to rectify incorrect data
- Right to erase data
- Right to data portability which means you can obtain your data to transfer to a different service
- Right to object to the processing of your personal data
- Right to object to your data being used in automatic decision making and profiling
Why Is Data Protection Important For Organisations?
Protecting data under the DPA 2018 is not a choice, it is a legal obligation. Employing good data protection practices and thoroughly training your staff members about data protection should be standard conduct for organisations, and may help protect them legally in the event of a breach.
A data breach can mean bad news for organisations. Since May 2018, the Information Commissioner's Office (ICO) has been able to issue massive fines of up to €20 million or 4% of annual turnover (whichever is larger) in the event of a data protection breach. Whilst financial penalties could cause major setbacks for organisations (particularly SMEs and start-ups) an arguably more serious consequence of a data protection breach is damage to your business' reputation. The resultant breakdown of trust could impact relationships between your business and its customers, potential customers, suppliers, and employees. An individual seeking goods/services that would require the disclosure of personal information is likely to think twice before trusting a company that has recently suffered a data protection breach.
With an increasing amount of personal data stored online, on electronic devices, and in The Cloud, cyber-crime is a growing concern of data protection practices. Implementation of good data protection practices reduces the risk that hackers will obtain the personal data that your business processes and stores, thus reducing the risk of misuse by malicious third parties.
Remember, most organisations also process and store large amounts of data about their employees – and protecting this data is of paramount importance. In-house data breaches could cause havoc regarding sensitive data that could be used for blackmail purposes or against equality and diversity principles.
In July 2017 Dixons Carphone (owner of Currys PC World and other UK electrical brands) became the victim of a cyber-attack. Whilst the hacking attempt began in July 2017, it was only revealed in July 2018. The company claimed that it had only just discovered the breach and accordingly complied with the obligation to disclose the breach to the ICO within 72 hours of discovery. Hackers attempted to compromise 5,800,000 credit and debit cards, 105,000 of which were non-EU issued cards without chip and pin protection. As the scandal hit the news, Dixons Carphone saw an immediate drop in their share price, which is still recovering. This incident followed a 2015 data breach at the company, which saw Dixons Carphone fined £400,000 by the ICO.