Understanding the UK’s General Data Protection Regulations (GDPR)


Photo by Markus Spiske on Unsplash

(This article is the opinion of the author, and is not intended to constitute legal advice.)

— — — — — — — — — — —

Do you remember 1998?

That was the year US president Bill Clinton and Monica Lewinsky were in the news, the dot-com bubble was getting bigger, the DVD format was released onto the UK market for the first time and the highest grossing movie of that year was Titanic starring Leonardo DiCaprio and Kate Winslet.

Most importantly, it was also the year that the Data Protection Act 1998 became law in the UK, regulating the storage of personal data stored on computers or in paper filing systems.

You remember paper filing systems, right?

Data protection for the 21st century

In 2018, 20 years after the 1998 Act became law, the UK along with its EU partners will be updating the regulations around the management of personal data. The new regulations are called the General Data Protection Regulations (GDPR) and they will become law on 25th May 2018 (regardless of the country’s Brexit negotiations!).

There are a variety of reasons for this important and far-reaching update.

Clearly, the ways we process and manage personal data have changed considerably over the last 20 years. However, legislation did not always keep pace with these changes.

We are seeing a trend for more and more private, personal data being held and shared within and between companies. That trend is only going to continue for the foreseeable future. Furthermore, personal data is an increasingly valuable commodity and is of great value to criminals and to marketing companies, for example. In recent years we have also seen numerous serious data breaches which exposed weaknesses in the existing legislation. So, it is hardly surprising that many experts came to the conclusion that a review of the ’98 Act was long overdue.

GDPR — What you need to know

This is a relatively brief introduction and is designed simply to update managers in organisations preparing for the introduction of the GDPR. For managers responsible for leading those preparations it is recommended that they visit the UK Information Commissioner’s Office website which provides comprehensive guidelines on the GDPR and the preparations that organizations must make to comply with the regulations involved.

The legislation is complex and will impact on different companies in different ways. Importantly, it will impact on any company wherever they are in the world, that processes the personal data belonging to EU nationals.

So, any company in this position needs to be prepared for the introduction of the regulations in May 2018 and the earlier companies start preparing, the better.

With this in mind here are 7 key things that people working in organizations that handle the personal data of EU nationals need to be aware of.

1. Expect the General Data Protection Regulations (GDPR) to be impactful.

Businesses that process the personal data of EU citizens, regardless of where they are in the world, have until May 2018 to fully comply with GDPR. Companies found to be in breach of the Regulation after that date could find themselves facing substantial fines and the reputational damage they may suffer as a consequence should not be underestimated.

The implications of the legislation will be felt far beyond a company’s legal or IT departments. It will have implications across the organization including marketing, finance, human resources, and because breaches of GDPR may result in non-complying companies being fined, it will be felt in the boardroom too.

2. Company size

The amount of work each company will need to undertake in order to ensure that they comply with GDPR will depend on:

Number of employees — Companies with 250 or more employees will find that the legislation could involve a greater administrative burden than businesses with less than 250 employees.

Existing data protection processes — Businesses that are compliant with existing data protection legislation will find that there is far less work involved than companies will little or nothing in place. So, for example, new business startups will need to ensure that they are collecting personal data in a manner that is compliant with this legislation.

The UK’s Information Commissioner’s Office has produced a 12 step guide for companies to help them prepare for the introduction of the new legislation.

3. Handling of personal data

“Personal data” is defined as “any information relating to an identified or identifiable natural person” and that person is called the data subject.

A personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Under the GDPR, non-complying organizations can face severe fines. This has the potential to be one of the most impactful areas of the Regulations. There are provisions in the legislation, for non-compliant businesses to receive penalties depending on the violation, of 2% or 4% of an organization’s total worldwide annual turnover during the preceding financial year.

4. Consent

The GDPR aims to give people genuine ongoing choice and control over how their personal data is used.

Organizations must be able to demonstrate that consent to store personal data was “freely given, specific, informed and unambiguous”.

Where an organization processes data belonging to children under 16 years in the UK (although the age may be as low as 13 in some EU states), then they must obtain parental consent.

The legislation establishes the following rights for EU citizens:

Right to be informed
Right of access 
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Rights related to automated decision making including profiling

Importantly, in addition to the express consent required from the data subject under GDPR, before their information can be processed, data subjects will have the right to withdraw their consent at any time

5. Privacy Impact Assessments (PIAs)

The Information Commissioner’s Office encourages a ‘privacy by design’ approach to data privacy.

This means that privacy should be a key consideration in the early stages of any project and for the duration of that project. Privacy Impact Assessments (PIAs) will:

i.) help identify the privacy risks involved in company projects

ii.) give companies the information required to respond appropriately where a PIA reveals that there is a potentially high risk of a privacy breach.

6. Appointing a Data Protection Officer

The GDPR outlines those situations where organizations must appoint a Data Protection Officer (DPO). These are where an organization carries out large scale:

i. systematic monitoring of individuals (for example, online behavior tracking); or
ii. processing of special categories of data, or data relating to criminal convictions and offenses

The requirement also applies to public authorities (except for courts acting in their judicial capacity);

7. Identifying the roles of data controllers and data processors

The GDPR recognizes that different businesses involved in the processing of personal data have different degrees of responsibility for, and involvement in processing of, personal data.

So, it makes the distinction between the roles and responsibilities of a data controller and of a data processor:

Data Controller — determines the purposes and means of processing personal data. The GDPR obligates controllers to ensure contracts with processors comply with the GDPR and to notify the Supervisory Authority, no later than 72 hours after having become aware of a data breach that is likely to result in a risk to the rights and freedoms of the person involved. In the UK the Supervisory Authority will be Information Commissioner’s Office (ICO).

Data Processor — processes personal data on behalf of a controller. The GDPR places specific legal obligations on processors including legal liability if they are found to be responsible for a breach. Where a data processor is responsible for a personal data breach, they must notify their Data Controller.

The Data Processor and the Data Controller can be a person, business or public authority. A Data Processor is under fewer obligations than a Data Controller and companies can be both Data Controllers and Processors.

Conclusion

The world has moved on a lot since the 1998 Data Protection Act became law in the UK. However, despite changes in technology it is important to recognize that GDPR is not an attempt to rewrite existing data protection legislation, it is simply intended to update and strengthen it.

This is good news for those companies that are complying with the 1998 Data Protection Act before GDPR becomes law. They will have robust foundations upon which to build and the road to compliance may well be relatively short.

However, it is those companies who have made little or no progress towards compliance by May 2018, due to negligence, ignorance, or the fact that they are newer companies, that may find complying with GDPR more difficult to achieve and have the most work to do.

From Farmer To Fork — How Blockchain Technology Is Adding Transparency To Food Supply Chains


Photo by Austin Ban on Unsplash

Food provenance and food safety are enormous concerns. Blockchain technology is seen by many industry experts as providing the answer to these concerns. That is because it creates a permanent public record of the provenance of the food in the supply chain – from farmer to fork.

That is great news for consumers concerned about where their food comes from and this technology can address their concerns around animal welfare, use of pesticides, farming methods, places of origin and manufacturing methods.

It is also good for food manufacturers who can be sure that what they are buying is exactly what it says on the label.

The World Health Organisation estimated in 2015 that almost 1 in 10 people fall ill every year from eating contaminated food, and 420 000 people die. So, for public health professionals blockchain means that, in the event of food-related public health issues, they are able to scrutinize the whole food supply chain, from farm to store, rapidly and accurately and hopefully save lives in the process.

The problem with modern food supply chains

To understand how blockchain might impact the food supply chain let’s look at the problems with existing supply chains.

Modern food supply chains can be long and complex. So, there are opportunities for human error, food fraud, and adulteration.

Various certifications and guarantees exist already that have been designed to reassure manufacturers and consumers about the provenance and safety of the food that they buy. However, existing regulatory systems rely on inspections by trusted third parties, records stored on computerized databases and paper-based systems, possibly located long distances from one another. These systems can add additional costs, can be subject to fraud and none of them are infallible.

How blockchain helps prove food provenance

Blockchain technology is more commonly associated with cryptocurrencies like Bitcoin. However, that same technology can be used to produce a trustworthy record of the entire supply chain, from farmers through to consumers. It introduces a previously impossible level of traceability and transparency into food supply chains.

Blockchain technology can provide this level of security because it is a distributed ledger system where multiple copies of the same database are stored across multiple computers. When transactions between parties take place these transactions are recorded in a way that is verifiable and permanent. While changes can be made, everyone involved in the blockchain must agree to those changes.

So, this technology creates secure and reliable records of the whole food supply chain. Consumers, retailers, manufacturers, and suppliers will be able to access this public information trail revealing each transaction in the supply chain.

Using blockchain technology in agriculture

Blockchain technology is a game changer in the agricultural industry where incidences of bacterial contamination, food fraud, and adulteration can be expensive and can have serious and long-lasting implications.

A number of companies are already demonstrating how blockchain technology can improve supply chain traceability and transparency.

San Francisco based Ripe.io uses blockchain technology to create secure and reliable product histories for a variety of foodstuffs.

AgriDigital is a Sydney, Australia based company that has created a blockchain enabled commodity management platform to revolutionize the supply of grain.

Beef Ledger is an Australian company using blockchain to prove beef provenance and safety for customers in Asia’s growing middle-class market.

Researchers from Russia’s Peter the Great St.Petersburg Polytechnic University have created a blockchain system that proves the provenance of dairy products to help prevent counterfeiting.

Walmart and 9 food companies including Unilever, Nestle, and Dole are collaborating with computing giant IBM on a project exploring how to apply blockchain technology to food supply chains.

Blockchain technology and public health

Locating the sources of food-borne illnesses such as Listeria, E.coli and Salmonella can be a time consuming and at times difficult process. One benefit of blockchain technology is that it enables the origin of contaminated food to be traced right back to the food producer. Furthermore, where a whole batch of food is contaminated, other contaminated items in that batch could also be rapidly located and removed from food stores.

Conclusion

Demand from consumers for more information about the origin of their food is only going to increase as the public concern grows about the quality and safety of the food that they eat.

Blockchain offers everyone involved in the food supply chain the opportunity to track the provenance of their food — from farmer to fork — perhaps by simply scanning a product’s barcode or QR code. For consumers, and food companies, this offers the reassurance that the food that they buy is exactly what it says on the label. For public health officials, it makes identifying and dealing with the sources of food-borne illnesses faster, and easier, than ever before.

Twitter 101 — How To Start Marketing Your Business Using Twitter

con-karampelas-1178811-unsplash (1)Twitter has millions of loyal users and, as any entrepreneur will tell you, where there are people, there are potential customers and clients.

To get the best from Twitter you will have to learn to communicate using a limited number of characters (Twitter plans to increase the number of characters in a Tweet from 140 to 280, shortly). Fortunately, with only a little inventiveness, you can communicate your message, despite these restrictions.

This makes Twitter a deceptively powerful tool and there is a ‘pot of gold’ hidden out there for entrepreneurs who are willing to put in the time and effort to master this platform.

If you are new to Twitter, or you have an account but just never ‘got’ what it was all about, I want to share my top tips for anyone wanting to get more out of Twitter.

1. Choose a good Twitter username

Choosing the right username matters, as this is how you will be recognized on Twitter. Usernames always start with ‘@’ and although the maximum length of a username is 15 characters, the shorter your username, the easier it will be for people to remember. Wherever possible, choose your name, your business name or a meaningful variation of either as your username. Avoid adult, political, or other usernames that might give people an impression of you that is incompatible with your business.

2. Customize your profile

It is highly recommended that you customize your Twitter Profile. This will become your ‘homepage’ on Twitter and the page people see first when they search for you using your Username or follow your link back to Twitter.

There are 4 steps to customizing your Profile:

i. Choose a background color for your Profile.
ii. Complete the free text boxes. This is an opportunity to tell others a little more about you and what you do. The Bio field offers up to 160 characters to sell yourself and you can also share your ‘Twitter name’ (this can be different from your Twitter Username), location, birthday and link to your website, using the fields provided.
iii. Choose an appropriate header photo (1500 x 500 pixels). This is usually something pertinent to you or your business.
iv. Profile photo (400 x 400 pixels). For business purposes this should be your head-shot rather than your business’s logo.

3. Learn the language

Twitter has its own language and if you really want to get the best out of using it, you really need to learn the lingo. Here are some of the most common Twitter terms you need to know:-

Tweet — A Tweet consists of text (up to a maximum of 140 characters).

Follow / Un-Follow — When you ‘follow’ another Twitter account their Tweets are listed on your home page. Un-following stops their Tweets appearing on your homepage.

RT or R/T — Short for Re-Tweet, this is the act of taking a Tweet from someone you are following and ‘broadcasting’ it to everyone who follows you. Re-Tweeting is usually seen as a form of endorsement of the information in the shared tweet.

HT or H/T — Hat Tip or Heard Through, use this to acknowledge that someone else made you aware of the content you are sharing. For example: “This article explains how it all began ….H/T @JohnSmith”.

DM — Twitter has a direct messaging function where you can send private messages to someone who is following you.

@ — the ‘@’ symbol the identifies every Twitter username as in @raykay.

# — The ‘#’ or hashtag symbol is a way of categorizing tweets. The great thing about using hashtags is that when you click on a word preceded by a hashtag any other Tweets with the same hashtags are also listed. Well known Tweets include #Election2016, #SuperBowl and #IceBucketChallenge.

Blocking — Blocking is a function that you can use to stop someone from seeing or responding to your Tweets and gives you control of your interactions with other Twitter users.

4. Follow the experts in your industry

Follow the experts in your industry, niche or profession. Twitter suggests who you might want to follow, and although they do not always get it right all the time, it is still a useful feature. Additionally, you will be able to see what others are tweeting about. Furthermore, you can respond directly to those tweets, join a conversation or even re-tweet their tweets to your followers. With a bit of luck, they might even follow you back.

5. Interact with potential customers

Interact with potential customers but be careful not to pitch your services, too early. In the beginning, just make them aware of your presence, for example by sharing information with them, offering advice or re-tweeting their tweets to your followers.

6. Grow your list of followers by tweeting often

The more active you are on Twitter, the larger your following is likely to be, up to a point. If some of your followers find that you are tweeting excessively they may decide to un-follow you. So, spend no more than 15 to 20 minutes each day on this task and space your tweets out over the course of the day.

Of course, Twitter is a relatively simple platform, especially when compared to Facebook. However, it is precisely its simplicity, and ease of use, that makes Twitter one of the most popular social media platforms in the world today.

Credit: Photo by Con Karampelas on Unsplash