The 25th of May 2018 is an important day for data protection. It sees the launch of the European General Data Protection Regulations (GDPR), which will be incorporated into UK law as part the Data Protection Act (DPA) 2018.
The new act updates existing data protection law and replaces the Data Protection Act enacted in 1998; it is important for several reasons:
- Firstly, it directly links data protection law and the security of personal information.
- Secondly, it introduces new data-protection rights such as the right to be forgotten; also, the right to request personal information and transfer it to others.
- Thirdly, it requires that appropriate technical controls are implemented to protect personal information.
- Fourthly, it requires breaches of security to be reporting to the Information Commissioners Office (ICO) as well as the persons to who the information is related. This must be done within 72 hours of a breach being discovered.
- Finally, it makes the persons controlling and processing personal information equally responsible for the information's security.
There is also a much stricter regulatory regime that has been standardised across the whole of Europe with a significant increase in the level of fines that can be imposed for non-compliance.
For example, 'Talk Talk' were recently fined £500k for their recent security breach. The ICO has made it quite clear that had this happened under GDPR, the fine would most likely have been at least 10-times more.
It's worthy of note that the inclusion of GDPR into UK legislation means that the same requirements will still apply even after the UK has left the European Union, i.e. after Brexit.
One of the additional requirements of GDPR is that public authorities and certain other bodies are legally required to appoint a Data Protection Officer (DPO).
DPO responsibilities have been set out in the GDPR regulations:
- An organisation's DPO should report directly to top level management and must be given all resources necessary to carry out their functions.
- The DPO should be the first point of call for anyone who has any concerns about the way their data is being handled.
- The DPO is also responsible for ensuring that personal information is looked after properly and maintain evidence that this is the case.
The requirement to have a DPO does not apply to the Masonic Province of Northamptonshire & Huntingdonshire, but organisations holding in excess of 250 personal records are recommended to have one regardless.
Taking this into account, WBro Nigel Dickens of Kingsley Lodge has been appointed as the Provincial Data Protection Officer. Nigel is also currently serving as Provincial Senior Grand Deacon (ProvSGD).
In the coming months, Nigel will be looking at the way the Province takes care of its members' personal information, and will provide advice to the Provincial Secretariat should improvements need to be made.
It's important to note that there is no intention for Nigel to audit individual lodges, which are responsible for running their own affairs and are data controllers in their own right.
That said, Nigel is available to advise lodge secretaries in areas such as:
- Information regarding the new Data Protection legislation and its requirements.
- Putting into place appropriate technical controls to protect personal data.
- Handling data breaches.
To get in touch with Nigel, please use the contact form available by clicking here.