Newsletter & Blog

Data Protection Act 2018

All organisations, regardless of size, must make sure the information is:

  • used fairly, lawfully and transparently
  • used for specified, explicit purposes
  • used in a way that is adequate, relevant and limited to only what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

There is stronger legal protection for more sensitive information, such as:

  • race
  • ethnic background
  • political opinions
  • religious beliefs
  • trade union membership
  • genetics
  • biometrics (where used for identification)
  • health
  • sex life or orientation

There are separate safeguards for personal data relating to criminal convictions and offences.

And there are some big bear traps in there for those who are not prepared.  For instance:

Under the Data Protection Act 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:

  • be informed about how your data is being used
  • access personal data
  • have incorrect data updated
  • have data erased
  • stop or restrict the processing of your data
  • data portability (allowing you to get and reuse your data for different services)
  • object to how your data is processed in certain circumstances

You also have rights when an organisation is using your personal data for:

  • automated decision-making processes (without human involvement)
  • profiling, for example to predict your behaviour or interests

So, if an individual wishes to see what data you have on hand in regard to them, then you have to have a process to find that data.  Likewise, if a person wishes their data removed or updated, you have to have a process to do that.

But the first step, in my view the most important step, is educating your staff.  Most data breaches, resulting in fines imposed by the Information Commissioners Office (ICO), result from an employee doing something they didn’t know they shouldn’t, or an organisation not realising that how they are handling personal data is, in fact, illegal.  Sadly, for many organisations who found themselves in this position, ignorance of the law is no excuse.

So how can ensure that your staff are aware?  Here at H2 we are about to launch another e-learning course, this time aimed at data protection specifically and, like our Cyber Awareness Course, it will be aimed at staff that operate and process personal data, rather than those aspiring to become a Data Protection Officer, for example.

Here at H2 we are always happy to work with local IT providers to design affordable and flexible one-off and ongoing data protection and cyber risk protection services.