The Data Protection Act 2018 sets out the newest framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998 and it came into effect on 25th May 2018. it aims to empower individuals to be able to take control of their personal data and support organisations to process such data in a lawful way.
The aims of GDPR
The aim of GDPR is to provide a set of standardised data protection laws across all EU Member Countries. This aims to make it easier for EU citizens to understand how their data is being used and to raise any complaints about this, even if they are not in the country where the data is located.
GDPR also aims to address any issues which are related to the exportation of data outside of the EU and to give regulatory authorities greater powers to take actions against any organisation, which is in breach of data protection legislation.
GDPR aims to help ensure the regulatory environment for international business by unifying data protection regulations and, finally, it outlines a set of legal responsibilities that apply to businesses in terms of how personal data will be protected.
What are the legal responsibilities of businesses to protect personal data?
There are now six principles that govern the legal responsibilities of businesses to protect the personal data of individuals with whom they interact. These are:
- Lawfulness, fairness and transparency: This means that businesses must have a lawful reason to process the date and make it clear how it will be processed. It also means that if consent is required that individuals must be fully informed of what they are consenting to and are therefore able to opt-in or opt-out with full knowledge of the consequences of their decision.
- Data minimisation: Data processers may only use the data needed for the task and nothing else. For example, if a customer rang a company about a delivery date then the person they spoke to would not need to access their bank details, only their account information.
- Accuracy: Any personal data held about an individual must be up to date. This includes information such as current address and bank details.
- Storage limitation: Any business must have ‘data retention procedures’ which state how data is deleted when no longer needed and what procedures are in place to assure this.
- Integrity and confidentiality: Businesses are obliged to put appropriate security measures in place to ensure that data is to be protected from unauthorised or unlawful processing. For example, data may need to be encrypted.
What is the 12-step process businesses can use to show they’re compliant with GDPR
In accordance with the new accountability principle in Article 5(2), businesses must be able to show evidence that they are complying to GDPR and that they have policies and procedures in place to show that compliance is long-term.
Businesses can use a 12-step process to show that they are compliant to GDPR so that if there are any questions about their compliance that they have an accessible and transparent procedure to show how GDPR is being applied.
- Step One: Awareness – Anyone acting as a decision maker needs to be aware of the changes brought about by GDPR and that these have been acted on to show appreciation of their impact on the business.
- Step Two: Information already held – There should be information available about data that is already held by the business. It must be clear where it can come from and whom it has already been shared with. An information audit may be needed if there is some data about which these questions cannot be answered.
- Step Three – Communicating privacy information: Current privacy notices should be reviewed and a plan put into place that makes any necessary changes to show that GDPR has been implemented or will be implemented. This includes any kind of privacy notice that a business uses on their website.
- Step Four – Individuals’ rights: All business must be able to show that they know and are applying the procedures that cover individuals’ rights. This would include how data is deleted both in electronic and other forms.
- Step Five: Subject access requests – Policies and procedures should be updated and all staff who would receive such as request must be able to show how they will handle the request and how it will be completed within the new deadlines.
- Step Six: The legal basis for processing data – Businesses must be able to lawfully justify the types of data processing that they currently carry out and document the type of data that it is.
- Step Seven: Consent – Businesses must be fully aware of how they are seeking, obtaining and recording consent from individuals. Any changes to this should be in line with GDPR.
- Step Eight: Children – Businesses need to have clear information about the kinds of information held about children which verify the ages of individuals and how to gather parental consent for a data processing activity.
- Step Nine: Data breaches – This will be discussed in greater length at the end of this unit. However, it is important to note here that business must have the right procedures in place to investigate a personal data breach and to be aware of which kind of breach needs to be reported to the Information Commissioner’s Office.
- Step Ten: Data protection by design and impact assessments – Information about this that is produced by the Information Commissioner’s Office must be familiar to everyone within a business who may be involved in data processing.
- Step Eleven: Data protection officers – All businesses are required to have a designated data protection officer who will take responsibility for data protection compliance.
- Step Twelve: International operations – If a business operates internationally then they need to determine which supervisory authority they come under.
The Data Protection Act 2018
The Data Protection Act 2018 is separated into a number of different parts, which must be applied in appropriate situations as each is designed to perform a different function. It sets out eight different data protection systems:
- Part 1: Preliminary giving an overview of the Act and its key terms.
- Part 2 Chapter 2: General processing (GDPR).
- Part 2 Chapter 3: General processing (applied GDPR).
- Part 3: Law enforcement processing.
- Part 4: Intelligence services processing.
- Part 5: The Information Commissioner: detailing the functions of the role and its office, along with their powers.
- Part 6: Enforcement setting out the enforcement regime under the Act.
- Part 7: Supplementary and Final provision giving additional provisions such as those relating to offences.
Reporting breaches in security
GDPR sets out the procedures that should be followed if there has been a breach in data security. Firstly, there must be a notification by the data controller to the supervisory authority and this must be done without undue delay, and where feasible, within 72 hours, of the breach being identified.
This aspect of reporting data breaches can only be overlooked if there is a possibility that the rights and freedoms of data subjects would be compromised further as a result. In this instance, the information would be subject to reporting without undue delay.
There must also be a report to the data subject (the individual) where the breach is likely to result in a risk to their rights and freedoms.
Organisations must keep a full internal breach register and those organisations who do not have internal procedures for managing data breaches should consider adopting formal processes at their earliest possible opportunity.
The four Rs of what to do when data has been compromised
It is important to train staff to remember the four Rs when it comes to the compromise of data to make sure that the right steps are followed in what to do next.
- Recognise – The discovery that a breach has occurred, even if this was accidental.
- React – Identify what information is involved, what has happened and what can be done in the first instance to prevent further compromising of the information.
- Report – Contact the organisation’s data officer as soon as possible with as much information as is available.
- Respond – Be able to answer questions so that the correct procedures can be carried out as quickly as possible.