Holdfast Training Services Trial Blog

If you are like me, then you have noticed a barrage of emails from all the obscure companies and websites that you may (or may not) have signed up to since, well, ever.  The reason for this surge in correspondence is the EU General Data Protection Regulations (GDPR).  The new rules take effect from today, updating and standardizing data protection laws across Europe, including the old UK Data Protection Act of 1998.

Being in the US, I’ve managed to avoid the majority of the news and all the effort involved in preparing for GDPR but now that I’m getting ready to return, I’m starting to ask myself: “What is GDPR?”  More importantly, I’m interested to know how it differs from the existing/previous data protection act and what mindset I need to adopt before returning, conscious that I may have become accustomed to the US system…

NB: Though referred to as GDPR, the UK achieves it by means of a new Data Protection Act (DPA) (2018), which was passed just two days ago.  In this blog, GDPR describes the actual GDPR as well as the new DPA (2018) in order distinguish new rules with the old DPA.

What is GDPR?

GDPR is modernizes data protection laws to account for developments in the collection and use of personal data by government and businesses.  It expands consumer rights whilst also increasing the obligations on those that hold personal data and penalties for non-compliance.  For example, the new law is clearer in articulating the requirement for organizations to gain consent for holding your personal data and hence the barrage of emails.

How much does it really differ from the previous Data Protection Act?                                                                

Thankfully, the Information Commissioner’s Office (ICO) states that most businesses, if already in compliance of the old law, will have few changes to make to ensure compliance with the new Act.

The definitions of personal data are the same as previous regulations: anything that may allow an individual to be identified (directly or indirectly)…   There is also a special category called sensitive personal data which indicates an individual’s political and religious beliefs, sexual preferences and even racial background and gender.

The rules on holding and processing personal data mostly remain unchanged in that there must be a legitimate reason for information to be collected and maintained (consent is but one of these bases for collect – thus lack of consent does not prevent an organization holding or collecting your personal information).  These are mostly the same as those for the DPA but GDPR introduces stricter accountability and transparency requirements as well as requiring public bodies to consider a new “public task”.  From my research of the topic, the various bases allow the army to hold and process personal data for most tasks, including obvious HR data for employment and pay/tax purposes as well as your unit asking for and holding things such as personal contact details and your car insurance information:

Some of the bigger changes include increased accountability/governance requirements including the drafting of “data protection policies” and “data protection impact assessments”.  Organizations are also now specifically required to report breaches to the ICO and affected individuals within 72 hours (rather than be swept under the carpet in fear of the reputational damage).  The information owner/consumer also now has better rights including free access to any information held on them and the relatively new concept of the “right to be forgotten” – Individuals have the power to compel organizations to delete their personal data when it is no longer relevant for the reason it was obtained, or if consent is withdrawn.

The new fines are also large.  Small offences can have penalties of up to 10m Euros or 2% of an organization’s turnover; larger offences can have fines of double this (20m euros or 4% of turnover).  This is a significant increase compared to the current 500k GBP max allowed by the DPA – this explains the apparent panic amongst business and the desire to demonstrate compliance by getting you to re-consent to them holding your data.

What does this mean for us as engineers and also officers in the army?

Under DPA and now GDPR, the army is required to document why information is held, what is to be stored, for how long and with descriptions of the level of security put in place to protect it.  GDPR also now requires a Data Protection Officer (DPO) be employed to supervise this work, monitor compliance, and act as a point of contact for employees etc…  I can imagine this being performed at a service level so I predict GDPR will change little from a regimental perspective.  However, this assumes the regiment is in compliance with DPA to begin with!

The main issue with GDPR from the perspective of military officers is that the increased requirement for accountability and the larger fines make it even more important that use of personal data is properly recorded including holding registers of who has access to personal data and the various locations/files where it’s stored.  This may sound simple but closer reflection indicates office failings can be rife.  For example, contact lists, nominal rolls of personnel attending certain exercises or use of spreadsheets for managing employees all involve use of personal information (names and contact or employment details such as rank or regimental number); each record or working document should be registered but my experiences suggest this is rarely done to the level required by DPA, and now GDPR… The effect of GDPR on regimental life might be greater than it otherwise should be.

Construction sites too must also consider the rules of data protection.  Sign in sheets for attendance at inductions, tool box talks, and even time-sheets all contain personal information and thus fall under data protection requirements. Though I have experience of this, my gut tells me that construction sites likely perform similarly to the army (good corporate attention to DPA but less so at lower levels or for certain areas).

GDPR is therefore just as important for construction and military organizations as it is for big tech firms.  As already described above, specific consent is not necessarily required for this information to be stored if there are legal or contractual requirements for holding the information (eg Health and Safety Rules for inductions being attended etc… or contractual needs to monitor working hours).  This means that GDPR won’t result in construction companies being required to include ‘opt in’ boxes for these sheets etc…  However, the implications of GDPR in how the organization governs the process, maintains and secures the records, and complies with requests to share information on what data it holds on individuals is potentially big so shouldn’t be ignored.

Do I need to be concerned coming back from the US and entering a whole new world of data protection?

Thankfully, no.  The USA is not too dissimilar to the UK in terms of data protection and privacy rules, though there are obvious differences, particularly in terms of terminology.  The legal responsibility to safeguard personally identifiable information (PII) stems from the Privacy Act of 1974.  PII is similar to the UK and EU terminology for personal information except it only includes information that allows direct identification; PII doesn’t include items like transactions histories, likes and hobbies which might allow identification when combined together i.e GDPR is broader than American data protection.

Because of a more pervasive private healthcare industry, the US also places greater emphasis on personal health information (PHI) which is regulated under additional legislation – however, PHI is beyond the scope of this post and our interest as engineers.

The US data protection rights provided under their 1974 Privacy Act are relatively strong in preventing disclosure without the consent of the information owner except under certain exemptions such as ‘routine use’ (the reason for the data’s collection and storage) and legal requirements etc that pretty much mirror those covered by DPA and now GDPR.

In terms of penalties, those failing to comply are subject to criminal and civil penalties (unliquidated damages plus reasonable attorney fees, criminal records and fine of up to 5,000 dollars).  The US fine appears paltry compared to those of both DPA and GDPR and suggest reasons why companies in the USA may be more lax about breaches.  Thankfully, release of PHI is more severe, with individual fines of up to $250k and ten years in prison for disclosing health information for commercial gain.

My personal experience and recent research suggests the greatest difference is that US companies tend to treat data protection as a legal issue related to the civil damages rather than the moral responsibility to protect an individual’s privacy.  Because of this, I’m confident the transition back to the UK and the new GDPR will be relatively easy and simple.

However, one can’t be complacent.  If anything, GDPR reminds us that it’s important to keep data protection in mind when establishing any new site/project.  It relates perfectly to our project management training and the need to establish good governance and documentation procedures from the very beginning.  It is, in the end, a moral and legal obligation that we protect the privacy of those we work with/for.