The General Data Protection Regulations (GDPR)
Lighting is no longer a stand-alone building or urban service, existing in isolation from other systems and services. Lighting is being driven by increasingly technologically advanced controls. Whether this is the move towards smart cities or the Internet of Things, small domestic systems or urban big data, security and privacy is becoming a matter of concern.
As we move into an interconnected future we need to understand the implications on how we process and use increasing amounts of data, including current legal requirements given in documents such as the General Data Protection Regulation and The Cybersecurity Act.
This presentation gives an overview of these issues and how they may affect the lighting industry.
Speaker: Peter Thorns BSc(Hons) CEng FCIBSE FSLL – Head of Strategic Lighting Applications, Thorn Lighting Ltd
Hosted by: Ray Keane BSc IEng MILP – Chair, ILP Durham.
Q&As
| Question | Answer |
| Will there be any changes to GDPR after 1st January when our transition from EU ends? | The GDPR exists “as is” in UK law. If the EU changes the GDPR after 1st January it will not automatically apply to the UK, and vice versa if the UK changes the UK version of the GDPR after 1st January it will not apply in the EU, but until this happens they are currently aligned and legal across both the EU and the UK. |
| Is there a particular size of organisation where it is advisable to have a data protection officer? | The requirement for a formal DPO is based upon organisation type (public authority or body) and whether your core activity is large scale monitoring of individuals or processing of special categories of data. It is not based upon organisation size. However regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to discharge your obligations under the GDPR. Therefore, a clearly identified person to do this would be advisable. |
So now that Britain is out of the EU, how will that be affected? i.e. will there be two different standards in Britain and EU? How will that affect the manufactures contractors etc, working in EU countries? | The GDPR is not a standard, it is a law. In principle after 1st January 2021 there are two separate laws, the EU and UK version, even though they will, at least initially, be identical. This means that on compliance paperwork the correct law will have to be identified depending upon location. (Consider that after 1st January BS standards will have to be referenced in official paperwork in the UK, such as BS EN 60598-1, and EN standards in Europe, EN 60598-1, even though they are identical). |
If data held by a 3rd party online, such as an online account and is breached by hackers, what duties does the original data holding company have with respect to remedies? | Under the Cyber Security Act, the security breach has to be reported. The legal owner of the data should be able to show they took all reasonable precautions prior to the breach and should also revise processes and procedures to protect against a similar occurrence. If the legal owner of the data can be shown to have been negligent they will be as liable as the 3rd party. |
| I get lots of marketing phone calls. Is this a breach of GDPR? | Probably not. When you click to accept all cookies for example the terms and conditions may include supply of information to third-parties for such a use. However, you always have the right to withdraw consent and once you do if you are then contacted by the same company again it would be a breach. So, I would suggest the best approach is to check what you are agreeing to instead of just accepting cookies etc. Withdrawal of consent may sound simple but unless you can track down the original consent you have to do it on a case by case basis and marketing companies are not so good at getting the message. |
Does this apply to small voluntary groups such as those involved with junior football teams? | Yes, sorry. I would assume the amount of data held is less in quantity and is easily justifiable, for example on the legal basis of consent, but the GDPR applies. |
If someone holds data can it be inherited, or does it die with them? | Data is generally not held by a person but by a corporate entity. Therefore, it is effectively an asset that may be transferred. |
If information is provided in an email footer, in my view this information is in the public domain. If I store that email and I have to do for my business records etc. Do I have to advise the email sender I am holding the data they supplied to me? | By voluntarily sending you this data you have implied consent. If you supplied this data to a third-party without formal consent to do this it could be an issue. This would be in the case of forwarding an email for example. |
How do the current regulations work on track and trace and businesses collecting personal details? | From the point-of-view of the business collecting the data it is a legal requirement and therefore has a legal basis within the GDPR. This assumes they use the data within the limits required. E.g. it is only used if a positive Covid case occurs and is destroyed after a set time. |
Is it correct that you can charge reasonable costs should someone request a significant amount of information? For example, a disgruntled ex-employee could just create work just to cause a problem. | Yes, although you will have to justify this. If the request is obviously unfounded or excessive a reasonable fee may be charged. Also, if an individual requests further copies of their data following an initial request you may charge. |
In what way if any does GDPR apply to those organisations based outside of the EU who hold data on those within the EU? | For data that is collected within the EU but sent outside of the EU for processing the GDPR applies. If the data is collected outside of the EU, for example an EU citizen spending time in a non-EU country, the GDPR will not apply. |
| Are these regulations part of the ISO 27001 certification? | A failure to comply with the GDPR in terms of data processing could be defined as a failure to manage information security. However, ISO 27001 is not directly linked to the GDPR in that it will not consider the legal basis for holding data, only that any data held is managed and controlled correctly and securely. So, certification to ISO 27001 is not proof of compliance with the GDPR. |