Your GDPR Obligations are now Enforcable!

Article 32 - Security of Processing

Article 32 states that regarding 'Security of Processing';

1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk". 

It also includes the following area of deep interest for IS Know How and what we offer our clients service wise, to be able to mitigate said risks and your obligation with the below:

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.


What is the General Data Protection Regulation? (GDPR)

With the ploriferation in vast types of new connected technologies and devices, meaning that we are all sharing an incredible amount of our Personally Identifiable Information (PII) with businesses, including Charities and Social Enterprises across borders; there was a huge requirement within the European landscape, to create and deliver international consistency around data protection laws and rights, which is crucial both to businesses and organisations, and to just as importantly individuals.

Therefore, the UK's current Data Protection Act 1998, will be replaced by the new GDPR legislation. It will bring about much tougher fines for non-compliant businesses, including Third Sector Organisations. Also introducting a much more clearly defined requirement surround Data Breaches, and it's aim is to give people much more say over what companies can or cannot do with their data.

Source: Information Commissioners Office (2016) (External Link)

ICO - Introduction to the GDPR

Does GDPR Affect My Organistaion, I Mean We're Exiting The EU Right?

The Information Commissioners Office have released an overview of the recently agreed European (EU) 'General Data Protection Regulation' framework, which it's important to open this section of the ISKH Resource section with the following position;

“The GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.”

Source: Information Commissioners Office (2016) (External Link)

Who Does The GDPR Apply To?

The GDPR will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the European Union (EU) and this will likely be the case for a swathe of UK Third Sector Organisation's.

It will also mean that businesses, including Charities, Social Enterprises etc. will now be directly responsible for Data Protection Compliance, no matter where they are based; just as long as they are processing EU citizens’ Personal Data.

Here follows the ICO's official items for who GDPR applies to;

  • "The GDPR applies to 'controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.

If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.

However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

  • The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
  • The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive [External Link], processing for national security purposes and processing carried out by individuals purely for personal/household activities."

Source: Information Commissioners Office (2016) (External Link)

What Information Does The GDPR Apply To?

Personal Data:

Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.

For most organisations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.

Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

Sensitive Personal Data

The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9). These categories are broadly the same as those in the DPA, but there are some minor changes.

For example, the special categories specifically include genetic and biometric data, where processed to uniquely identify an individual.

Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).

Source: Information Commissioners Office (2016) (External Link)

Additional Personal Data List:

Personal data should be seen as any information that relates to an identified or identifiable person. There are no distinctions between a person’s private, public, or work roles. Personal data can include:

  • Name
  • Email Address
  • Social Media Posts
  • Physical, Physiological, or Genetic Information
  • Medical Information
  • Location
  • Bank Details
  • IP Address
  • Cookies
  • Cultural Identity

Further General Data Protection Regulation (GDPR) Information

ALL UK Third Sector Organisation's, irrespective of your previous Data Protection Act status, urgently need to put time aside within your organisation and follow the current Four Steps below. Not doing so, will likely lead to a fair chunk of pain for yourselves, beyond May 25th 2018.

Please DO NOT DELAY and leave it, as it will creep up on you incredibly quickly, where you will potentially have a HUGE set of problems on your hands if there's a lack of urgency within your Third Sector organisation.

What Next?

Please now go to the following IS Know How What is the Privacy and Electronic Communications Regulations (PECR) page and read through the ICO's information that we're reiterating for this and your benefit.

Charitable & Voluntary Data Security Incident Trends

You may also be interested to read the statistics that IS Know How have extrapolated from the ICO's Data Security Incident Trends and specifically for 'Charitable & Voluntary' that they provide for "Data security incidents (breaches of the seventh data protection principle [External Link] and personal data breaches [External Link] reported under the Privacy and Electronic Communications Regulations)"


ISKH is in no way affiliated with, or working on behalf of the Information Commissioners Office. ISKH is quite simply putting forward the importance of compliance to our target audience(s). Also to support the ICO's drive to show that Data Protection Act compliance, has a positive impact on a business or organisations Cyber / Data Security Positioning. Any externally linked ICO content in the ISKH website, including PDF documents or video media, is offered for information purposes only, as is.