Data Protection

Data Protection

Data Protection Act 2018

The UK Data Protection Act 2018 (DPA 2018) has now replaced its predecessor.  It is based on the EU General Data Protection Regulation (GDPR) which came into force in May 2018.

If your organisation collects, processes, shares or stores the personal data of individuals in the context of selling goods or provision of services to citizens in the UK, then you will need to comply with the Act.  In the wider context if you employ or hold data on a single EU citizen, then you will also need to comply with the GDPR.

The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).

Everyone responsible for using personal data has to follow strict rules called ‘‘data protection principles”. They must make sure the information is:

  • used fairly, lawfully and transparently

  • used for specified, explicit purposes

  • used in a way that is adequate, relevant and limited to only what is necessary

  • accurate and, where necessary, kept up to date

  • kept for no longer than is necessary

  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

Individuals rights

Under the DPA 2018, individuals have the right to find out what information organisations store about them. These include the right to:

  • be informed about how their data is being used

  • access personal data

  • have incorrect data updated

  • have data erased

  • stop or restrict the processing of their data

  • data portability (allowing the individual to get and reuse their data for different services)

  • object to how your data is processed in certain circumstances

Individuals also have rights when an organisation is using your personal data for:

  • automated decision-making processes (without human involvement)

  • profiling, for example to predict your behaviour or interests

Who does the Act affect?

The Act will apply to organisations located within the UK and, for those wishing to do business within the EU, it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all organisations collecting, processing, sharing and holding the personal data of data subjects residing in the UK and EU, regardless of the organisation’s purpose or location.

What are the penalties for non-compliance?

Severe financial penalties and other remedies can be handed to organisations who are found in breach of the DPA 2018 and or the GDPR.  Fines can be up to 4% of annual global turnover for breaching GDPR or €20 Million. There is a tiered approach to fines e.g., a organisation can be fined not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting an appropriate privacy impact assessment. It is important to note that these rules apply to both Data Controllers and Data Processors -- meaning 'Clouds' will not be exempt from enforcement.

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name and address to a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.  There is stronger legal protection for more sensitive information, such as:

  • race

  • ethnic background

  • political opinions

  • religious beliefs

  • trade union membership

  • genetics

  • biometrics (where used for identification)

  • health

  • sex life or orientation

There are separate safeguards for personal data relating to criminal convictions and offences.

 

What is the difference between a data processor and a data controller?

A Data Controller is the entity that determines the purposes, conditions and means of the collection and processing of personal data, while the Data Processor is an entity which processes personal data on behalf of the controller.

Do data processors need 'explicit' or 'unambiguous' data subject consent - and what is the difference?

The conditions for consent have been strengthened, as companies will no longer be able to utilise long illegible terms and conditions of verbose legalese. The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing clearly attached to that consent - meaning consent must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. Withdrawal of Consent must be as easy as it is to give. ​Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.

What about Data Subjects under the age of 16?

Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent, but this will not be below the age of 13.



What is the difference between a regulation and a directive?

A regulation is a binding legislative act. It must be applied in its entirety, while a directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how.



Does my business need to appoint a Data Protection Officer (DPO)?

DPOs must be appointed in the case of: (a) public authorities, (b) organisations that engage in large scale systematic monitoring, or (c) organisations that engage in large scale processing of sensitive personal data (Article. 37). If your organisation does not fall into one of these categories, then you do not need to appoint a DPO.

What are the policies for data breaches?

Regulations about responding to data breaches primarily relate to the data breach incident response and notification policies of organisations that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.

For more information please contact us today on 01733 602183/01780 678199 or through our website >

General Data Protection Regulation GDPR

What about Data Subjects under the age of 16?
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.

What is the difference between a regulation and a directive?
A regulation is a binding legislative act. It must be applied in its entirety across the EU, while a directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation, in contrast the the previous legislation, which is a directive.

Does my business need to appoint a Data Protection Officer (DPO)?
DPOs mustbe appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.

How does the GDPR affect policy surrounding data breaches?
Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.

Will the GDPR set up a one-stop-shop for data privacy regulation?
The discussions surrounding the one-stop-shop principle are among the most highly debated and are still unclear as the standing positions are highly varied. The Commission text has a fairly simple and concise ruling in favor of the principle, the Parliament also promotes a lead DPA and adds more involvement from other concerned DPAs, the Council’s view waters down the ability of the lead DPA even further. A more in depth analysis of the one-stop-shop policy debate can be found here.

For more information on GDPR, please contact us today on 01480 718311 or through our website >


Contact us today about this service

If you would like to know more about our range of services here at H2 then please contact us today on 01733 602183 or 01780 678199 or complete our contact form.

Click here to get started >