Data Protection Act 2018
The UK Data Protection Act 2018 (DPA 2018) has now replaced its predecessor.
It is based on the EU General Data Protection Regulation (GDPR) which came into force in May 2018.
If your organisation collects, processes, shares or stores the personal data of individuals in the context of selling goods or provision of services to citizens in the UK, then you will need to comply with the Act.
In the wider context if you employ or hold data on a single EU citizen, then you will also need to comply with the GDPR.
The Data Protection Act 2018
controls how your personal information is used by organisations, businesses or the government.
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
Everyone responsible for using personal data has to follow strict rules called ‘‘data protection principles”. They must make sure the information is:
used fairly, lawfully and transparently
used for specified, explicit purposes
used in a way that is adequate, relevant and limited to only what is necessary
accurate and, where necessary, kept up to date
kept for no longer than is necessary
handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
Under the DPA 2018, individuals have the right to find out what information organisations store about them. These include the right to:
be informed about how their data is being used
access personal data
have incorrect data updated
have data erased
stop or restrict the processing of their data
data portability (allowing the individual to get and reuse their data for different services)
object to how your data is processed in certain circumstances
Individuals also have rights when an organisation is using your personal data for:
automated decision-making processes (without human involvement)
profiling, for example to predict your behaviour or interests
Who does the Act affect?
The Act will apply to organisations located within the UK and, for those wishing to do business within the EU, it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all organisations collecting, processing, sharing and holding the personal data of data subjects residing in the UK and EU, regardless of the organisation’s purpose or location.
What are the penalties for non-compliance?
Severe financial penalties and other remedies can be handed to organisations who are found in breach of the DPA 2018 and or the GDPR.
Fines can be up to 4% of annual global turnover for breaching GDPR or €20 Million. There is a tiered approach to fines e.g., a organisation can be fined not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting an appropriate privacy impact assessment. It is important to note that these rules apply to both Data Controllers and Data Processors -- meaning 'Clouds' will not be exempt from enforcement.
What constitutes personal data?
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name and address to a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
There is stronger legal protection for more sensitive information, such as:
trade union membership
biometrics (where used for identification)
sex life or orientation
There are separate safeguards for personal data relating to criminal convictions and offences.
What is the difference between a data processor and a data controller?
A Data Controller is the entity that determines the purposes, conditions and means of the collection and processing of personal data, while the Data Processor is an entity which processes personal data on behalf of the controller.
Do data processors need 'explicit' or 'unambiguous' data subject consent - and what is the difference?
The conditions for consent have been strengthened, as companies will no longer be able to utilise long illegible terms and conditions of verbose legalese.
The request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing clearly attached to that consent - meaning consent must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. Withdrawal of Consent must be as easy as it is to give. Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
What about Data Subjects under the age of 16?
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent, but this will not be below the age of 13.
What is the difference between a regulation and a directive?
A regulation is a binding legislative act. It must be applied in its entirety, while a directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how.
Does my business need to appoint a Data Protection Officer (DPO)?
DPOs must be appointed in the case of: (a) public authorities, (b) organisations that engage in large scale systematic monitoring, or (c) organisations that engage in large scale processing of sensitive personal data (Article. 37). If your organisation does not fall into one of these categories, then you do not need to appoint a DPO.
What are the policies for data breaches?
Regulations about responding to data breaches primarily relate to the data breach incident response and notification policies of organisations that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.
For more information please contact us today on 01733 602183/01780 678199 or through our website >