GDPR, the data protection act and other online security measures changed how businesses view data integrity and confidentiality. Potential personal data breaches have made public interest in protection acts higher than ever before.
Whether they’re customers or worked with personal data to any degree, many will remember the months leading up to the establishment of the GDPR.
But how does GDPR relate to the Data Protection Act 2018 in the UK?
What is the data protection act?
A data protection act definition is a set of regulations that controls the use of personal information and data. Data protection at work affects how these regulations affect a company or business.
These regulations exist to protect a customer, client or employee’s data.
These include the rights of a customer, client or employee to request this information, as well as how anyone can use the data.
The Information Commissioner’s Office strives to update regulations for greater protection. The Information Commissioner is the one who has the power to issue fines to any companies or businesses that infringe on data protection laws.
The punishments for failing to adhere to data protection acts can result in fines up to 10 million Euros, or in extreme cases, 20 million Euros.
This is why understanding data protection is vital.
The 8 principles of data protection acts
Each new data protection act builds upon its predecessor, from the Data Protection Act 1988 to the Data Protection Act 2018.
These updates improve the key principles of data protection. These aim to improve lawfulness, fairness and transparency when handling personal data.
Data protection principles help to highlight the importance of data protection at work.
Each one provides insight into UK data protection acts. They make it clear what data protection officers expect from GDPR in the workplace.
These data protection act principles include:
Keep the data safe and secure
One of the primary principles focuses on data security. Both a physical and technical security system must be in place to protect the data. You must maintain these systems at a security level high-enough to protect data from security risks.
For example, a small business that only handles a customer’s name and address can have a standard security system. However, a large bank would merit top-of-the-line physical, technical and online security systems.
Collect the data fairly and legally
Collecting data lawfully is essential. Collecting this data cannot create a negative effect on the person because of the collection.
For example, an e-commerce website can request customer information as website experience feedback. However, it cannot ask to access their purchase history from competitors. Some may wish for this data for marketing purposes.
The data must fit a reasonable purpose
Transparency with why someone wants a data subject’s personal data is another key principle. When collecting the data, the intent for the data should be clear. This way, someone can't use personal data in a manner that they did not agree to.
For example, a clothing chain can reasonably market new products to a customer using their data. However, they cannot share the data with any affiliated chains or stores for their marketing attempts.
The data must be concise and adequate
Any requested data must suit a reasonable purpose, as previously mentioned. But, it must also adhere to data minimisation. This means that the data held shouldn’t exceed its stated purpose.
For example, a company hiring for a new role should only ask for information relevant to the role. Requesting excessive personal information would be a breach of this principle.
You must destroy and/or delete unnecessary data
The data controller must destroy and/or delete any personal data when requested to do so. This is according to the data subject’s rights. One can request this at any time and applies to any data that is no longer accurate.
For example, a company sending marketing material to a one-time customer may request to have their personal data deleted. They can do so if they tire of the constant with marketing materials.
The data must be accurate
As previously mentioned, requests to destroy inaccurate personal data are fair and valid. Keeping personal data up to date is an important principle. It's so crucial that companies must actively check with an individual the data that they hold is accurate.
For example, if an employee is moving from an old home to a new address, the company they work for must have this new address on record. Failing to do so could result in personal information, such as payslips, going to an old address.
Cannot transfer data to countries outside EEA
Different countries have different levels of data protection standards. Because of this, data cannot transfer from one country that may have more rigorous standards for data protection than another that may not.
For example, EU countries with a ‘Privacy Shield’ may protect personal data greater than countries in Asia. Without a data subject in the EU’s consent, it would be a breach of the data protection act to have personal data sent to a country in Asia.
Take into account the data subject’s rights
Above all else, one must respect a customer, client or employee’s rights. If the data is inaccurate, or it is causing the data subject distress, delete the data. A subject access request can request this data at any time.
For example, a customer feels that a third party has their data. They do not want this third party to have access to their data, so they submit a subject assess request. Regardless of if they learn about data sharing, the customer can request for the destruction of the data.
Data protection act summary
Those seeking a Data Protection Act 2018 summary should know some simple truths.
The Data Protection Act 2018 principles increase legal protection for sensitive information.
This sensitive information involves details of personal data including:
- Biometrics: biometric data is updating faster than people can establish protection acts. However, the 2018 update addressed biometrics as protected personal data.
- Personal beliefs and opinions: this includes a person’s religious beliefs or political opinions. Protecting this sensitive information intends to protect against potential discrimination. This could include a company only wanting to hire those that identify as Christian.
- Race and ethnicity: law classifies a person’s race and ethnic background as sensitive information. This is for the same reasons we can potentially use personal beliefs and opinions for discrimination.
- Health and genetics: this personal data may be common within the medical industry. Information about any illnesses, potential or current, should not be available to anyone but the patient and their doctor.
- Sexual orientation and lifestyle: this personal data might lead to discrimination. It may also need to remain private due to potential health implications.
- Trade union affiliation: while it may not seem like a common issue for modern days, an employee’s membership of a trade union should also be private. Specific industries may still see issues with or within trade unions. Any affiliation with one is sensitive information.
When there are destroy or delete requests for data, they must occur with undue delay. Some requests may even specify that this must occur within 72 hours.
Any failures to do so can result in hefty fines and damage a company’s image.
This swift call for action outlines how dangerous mishandling personal data can be.
Expert assistance from Peninsula
The ramifications for breaking data protection principles can be severe. Handling requests to destroy the information must be quick and efficient.
Peninsula has the expertise needed to ensure that your company or business doesn’t incur any of these negative effects. Get in touch with us today to see how we can help you.