In this article
We all have data that is personal to us and some that are even sensitive. We expect government bodies, authorities and businesses that process our data to do so responsibly.
The law also expects this, and there are legal requirements surrounding the use of everyone’s personal data. Therefore, if you or your business processes personal data, you must follow strict rules to ensure you comply with data protection laws.
Data security incidents are not uncommon. According to the Information Commissioner’s Office (ICO) latest statistics on data security incident trends:
- There were 2,425 incidents reported (01/01/2021–31/03/2021).
- Data emailed to the incorrect recipient was the most reported incident, followed by other non-cyber incidents.
- The majority of non-cyber and cyber-security incidents were in:
– Education and childcare.
– Finance, industry and credit.
– Local government.
- Phishing and ransomware were the most reported cyber-security incidents.
You or your business must take care to avoid personal data breaches. You can do this by understanding the rules regarding personal data. You must also know what your legal responsibilities are under the Data Protection Act 2018 and UK GDPR.
This article will look at the Data Protection Act 2018 and what businesses need to do by law. It will also cover breaches of the Act and the rights of individuals when it comes to their data.
The Data Protection Act 2018
The Data Protection Act 2018 (DPA 2018) is a UK Act of Parliament. The DPA 2018 superseded the Data Protection Act 1998 on 23rd May 2018 when the EU General Data Protection Regulation (GDPR) 2016 came into force. The GDPR 2016 is an EU regulation on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).
As the UK was a previous member state, the EU GDPR was directly applicable. After the UK left the EU, the GDPR was retained in domestic law and became the UK General Data Protection Regulation (UK GDPR) on 1st January 2021. The UK GDPR sits alongside an amended version of the Data Protection Act 2018, and both apply to the protection of personal data. Even though these laws complement one another, businesses must comply with both, as there are differences.
If you do any business in or with countries in Europe, you may have to comply with both EU GDPR and UK GDPR. If in doubt, it is always best to seek legal advice to ensure you are correctly complying with the law.
Data protection legislation controls how people’s personal information is used by organisations, businesses or the government. It also introduces ‘digital rights’ for individual citizens, as personal information is increasingly stored in computer databases. It also determines how, when and why any organisation can process personal data.
Data protection principles
Article 5 of the UK GDPR sets out seven key principles, which lie at the heart of the general data protection regime (ICO). These principles are:
1. Lawfulness, fairness and transparency – Personal data must be processed lawfully, fairly and in a transparent manner.
2. Purpose limitation – Personal data can only be collected for specified, explicit and legitimate purposes. It can only be used for a specific purpose and no other. Individual’s details must not be passed onto third parties unless they have already consented.
3. Data minimisation – No more than the minimum amount of data should be kept for specific processing.
4. Accuracy – Data must be accurate and where necessary kept up to date. If the data held is wrong or out of date, individuals have the right to have it corrected or deleted.
5. Storage limitation – Data that is no longer required should be removed.
6. Integrity and confidentiality (security) – Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage.
7. Accountability – The controller has responsibility for demonstrating compliance with the other principles.
There are also principles in Part 3 of the DPA 2018 for law enforcement processing.
These principles are a vital part of ensuring businesses remain compliant with data protection laws. If you do not comply with these principles, it can result in substantial fines.
The aims of the Data Protection Act
According to the Information Commissioner’s Office (ICO), data protection is:
“The fair and proper use of information about people. It’s part of the fundamental right to privacy – but on a more practical level, it’s really about building trust between people and organisations. It’s about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others, and striking a balance with the wider interests of society.”
Therefore, the DPA 2018 aims to:
- Strengthen the rules to protect against theft and loss of data.
- Empower individuals to take control of their personal data.
- Improve and protect individuals’ rights concerning their personal data.
- Support organisations to lawfully process personal data.
- Ensure that data protection laws are fit for the digital world.
- Build trust and improve confidence between individuals and organisations.
- Remove unnecessary barriers to trade and co-operation.
- Make organisations more accountable, responsible and transparent when processing personal data.
- Improve confidentiality when processing personal data.
Who must comply with the Data Protection Act?
All businesses and individuals who process any personal data must comply with the DPA 2018 and UK GDPR.
Processing can mean anything done with data, such as (this list is not exhaustive):
Data protection laws will apply if you or your business carry out any of the above activities and have any information about individuals for any business or other non-household purpose. It does not matter the size of your business, turnover or nature. If you process any personal data, you must comply with the law.
Under the DPA 2018, you must also register and pay a data protection fee to the ICO unless you can show that you are exempt. If you are not exempt and fail to register, you could face a fine. You can use the ICO’s self-assessment tool to determine whether you need to register.
What is personal data?
Personal data is information that relates to an identified or identifiable person (a data subject) who could be directly or indirectly identified based on the information.
It includes an individual’s:
- Identification number, e.g. National Insurance or passport number.
- Location data, e.g. home address or mobile phone GPS data.
- Online identification, e.g. IP address or email address.
There are also special categories of personal data, which covers sensitive information, for example:
- Ethnic background.
- Political opinions.
- Religious beliefs.
- Trade union membership.
- Biometrics (where used for identification).
- Sex life or orientation.
Sensitive information has stronger legal protection. There must be lawful grounds for processing these data types, and additional safeguards must be in place. There are separate safeguards for personal data relating to criminal convictions and offences.
The DPA 2018 and UK GDPR apply to electronic files and paper filing systems that include personally identifiable information. Spoken information is not included, but confidentiality can be breached if personal or sensitive information is discussed where others can overhear.
Responsibilities under the Act
As a business owner, you have overall responsibility for protecting people’s personal data.
There are also specific responsibilities detailed in data protection laws, for example:
- A controller – Is responsible for ensuring that any data processing complies with data protection legislation. They decide how and for what purpose the data will be collected and used. Employers are likely to be classed as a controller. However, it can also be an individual, such as a sole trader.
- A processor – Processes the data on behalf of the controller, as per their instructions. A processor is not an employee but a separate organisation or person.
- A Data Protection Officer (DPO) – If you carry out certain types of processing activities, you have a duty to appoint a DPO. You can use the guide in our knowledge base on what a what a DPO is is to find more information.
Everyone in your business will have some responsibilities regarding data protection. If you are an employer, you must also make your employees aware of their rights concerning their own personal data and what they must do to protect other peoples.
Information on the responsibilities of controllers and processors is available on the official ICO website.
Breaching the Data Protection Act
What is a breach?
The Information Commissioner’s Office (ICO) is the regulator for data protection in the UK. According to the ICO, a personal data breach is:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data.”
Some examples of data breaches are:
- Personal data being accessed by an unauthorised third party, e.g. cyber-security incidents, such as hacking.
- A deliberate or accidental action (or inaction) by a controller or processor, e.g. sharing login details.
- Personal data being sent to the incorrect recipient, e.g. an email, letter or fax sent in error.
- Computing devices, e.g. media or equipment, containing personal data being lost or stolen.
- Loss or theft of paperwork containing personal data due to being left in an insecure location.
- Unauthorised disclosure and alteration of personal data without permission.
- Personal data being unavailable, e.g. due to the equipment failure.
- Improper and insecure disposal of paperwork or hardware containing personal data.
- Personal data being obtained by deception, e.g. blagging offences.
Many would think that the majority of data breaches come from cyber-security incidents, such as database hacking. However, they often result from businesses lacking appropriate procedures or training in personal data handling.
You can find examples of breaches on the official ICO website.
Actions to take if there is a breach
Where possible, you should prevent personal data breaches. However, sometimes it is not always possible as errors can and do happen. If you become aware of a personal data breach, you must:
- Assess the breach and determine whether it is reportable to the ICO. Not every data breach is reportable. The ICO has a self-assessment for data breaches that you can use to determine whether a breach needs to be reported.
- Notify the ICO as soon as possible and within 72 hours of becoming aware (if it is a reportable breach).
- Inform individuals (whose personal data has been affected) right away if the breach carries a high risk of affecting their rights and freedoms.
- Investigate and put an action plan in place to prevent it from happening again.
- Keep a record of all personal data breaches, even the incidents that are not reportable.
There should be procedures in place for identifying, reporting and investigating personal data breaches.
Having robust procedures and response plans will help you deal with any incidents in an organised manner and assist in making decisions about reporting. If you have employees, you should make it clear what a personal data breach is and what their roles and responsibilities are.
Further information on handling personal data breaches can be found on the ICO website.
Actions to take if you receive a complaint
If you receive a complaint from someone who believes their data has been misused or has not been kept secure, you should:
- Have a responsible person in the business deal with the complaint.
- Take the individual’s concern seriously and work with them to resolve the problem.
- Investigate the complaint and respond to the individual.
It is important to have procedures in place for handling complaints involving personal data.
If an individual is not happy with how their complaint has been handled, they can contact the ICO who may decide to investigate their claim.
If there has been a breach, enforcement action can be taken against the business, for example:
- Inspection – The ICO have powers of inspection to confirm whether a business is fulfilling its security obligations.
- Issue of notices – The ICO can issue different types of notices such as:
– An information notice – Requires businesses to provide the ICO with certain information.
– An enforcement notice – Issued for non-compliance with data protection laws. It usually requires businesses to take (or refrain from) certain actions, but it can include a ban on data processing.
– An assessment notice – Informs a business that the ICO will carry out a compulsory audit to determine whether they are following the data protection principles.
– A penalty notice – Requires payment for serious breaches of the data protection principles.
- Ban on data processing – The ICO can impose a temporary or permanent ban on data processing.
- Fines – The ICO can fine businesses for data breaches, non-compliance with the DPA 2018 and UK GDPR, and failure to comply with a notice. Businesses can face fines of up to £17.5 million or 4% of annual global turnover (whichever is greater) for infringements of data protection laws.
Individuals who have been affected by the breach may also take a case to court under data protection laws. They can enforce their rights if they think they have been breached or claim compensation for any damage or distress caused (or both).
Non-compliance with the law can be costly for businesses. It can have serious consequences for business operations and could even result in closure.
Individuals have rights, under the DPA 2018, to know what information businesses are storing about them.
They have a right to:
- Be informed about how their data is being used.
- Access their personal data.
- Have incorrect data updated.
- Have data erased (also known as the right to be forgotten).
- Stop or restrict the processing of their data.
- Retrieve and reuse their data for different services (data portability).
- Object to how their data is processed in certain circumstances.
They also have rights when an organisation is using their personal data for:
- Automated decision-making processes (without human involvement).
- Profiling, for example, to predict their behaviour or interests.
You must ensure that you, and anyone who works for you, are familiar with individuals’ rights concerning their personal data.
What to do if you receive a request
If you or your business receives a request from an individual asking for access or erasure of their data, you must:
- Respond to the request as soon as possible and within one month; or
- Inform the individual within one month if there is a delay in providing or erasing their data (for complex or multiple requests). You must explain to the individual why there is a delay; or
- Inform them you are withholding the data or cannot erase their data. There needs to be a valid reason. You do not have to disclose why you are withholding data. However, you do have to inform them of the reasons why you cannot erase their data.
You are permitted to charge administrative costs for requests in particular situations, e.g. where there is a request for a large amount of information, or it would take a significant amount of time to process.
You can find out more about individuals’ rights.
Data protection laws are there to keep our personal data safe and so that businesses respect our privacy. People need to trust that companies are processing their data responsibly and are complying with the law.
As an individual, you will also have personal data processed by many different organisations. You would expect these companies to handle your data safely and legally. If you or your business processes any personal data, you should treat it how you would expect your own to be treated. There is not only a legal obligation but a moral one.
It is easy for businesses, particularly smaller ones, to slip up regarding data protection. Understanding what you need to do will help prevent costly mistakes. It is always best to seek professional advice if you are unsure of the rules and your legal obligations.