GDPR, the data protection act and other online security measures changed how businesses view data integrity and confidentiality. Potential personal data breaches have made public interest in protection acts higher than ever before.
Whether they’re customers or worked with personal data to any degree, many will remember the months leading up to the establishment of the GDPR.
But how does GDPR relate to the Data Protection Act 2018 in the UK?
What is the data protection act?
A data protection act definition is a set of regulations that controls the use of personal information and data. Data protection at work affects how these regulations affect a company or business.
These regulations exist to protect a customer, client or employee’s data.
These include the rights of a customer, client or employee to request this information, as well as how anyone can use the data.
The Information Commissioner’s Office strives to update regulations for greater protection. The Information Commissioner is the one who has the power to issue fines to any companies or businesses that infringe on data protection laws.
The punishments for failing to adhere to data protection acts can result in fines up to 10 million Euros, or in extreme cases, 20 millions Euros.
This is why understanding data protection is vital.
The 8 principles of data protection acts
Each new data protection act builds upon its predecessor, from the Data Protection Act 1988 to the Data Protection Act 2018.
These updates improve the key principles of data protection. These aim to improve lawfulness, fairness and transparency when handling personal data.
Data protection principles help to highlight the importance of data protection at work.
Each one provides insight into UK data protection acts. They make it clear what data protection officers expect from GDPR in the workplace.
These data protection act principles include:
Keep the data safe and secure
One of the primary principles focuses on data security. Both a physical and technical security system must be in place to protect the data. You must maintain these systems at a security level high-enough to protect data from security risks.
It is important to ensure that the correct technical and organisational measures are in place. The measures should be are proportionate to the risks related to the data a company possesses. This is depending on the nature and means of the processing each business undertakes, no matter the scale.
Collect the data fairly and legally
Collecting data lawfully is essential. Collecting this data cannot create a negative effect on the person because of the collection.
In an employer and employee scenario it is important to ensure the correct legal basis is selected before the processing take place. There are six lawful bases to choose from and many employers process data using the wrong lawful basis to begin with; which can create further legal issues later on.
The six lawful basis are:
- Performance of a contract
- Legal obligation
- Legitimate interests
- Vital interests
- Public task
An example of this is when consent is used to process employee data to a third party to deal with a HR matter. In an employer and employee relationship, this is not deemed a valid lawful basis due to the imbalance in that relationship. The employee would also be entitled to withdraw consent at a later date if this basis is used.
A better lawful basis fit would be for the performance of a contract, legal obligation or for legitimate interests. At least one lawful basis needs to be met before the processing can take place.
The data must fit a reasonable purpose
Transparency with why someone wants a data subject’s personal data is another key principle. When collecting the data, the intent for the data should be clear. This way, someone can't use personal data in a manner that they did not agree to.
The data collected should be collected for a specific purpose only and not processed for means beyond that purpose which may also be deemed incompatible.
For example, a GP discloses his patient list to his wife who runs a travel agency, so that she can offer special holiday deals to patients. Disclosing the information would be incompatible with the purposes for which it was obtained.
The data must be concise and adequate
Any requested data must suit a reasonable purpose, as previously mentioned. But, it must also adhere to data minimisation. This means that the data held shouldn’t exceed its stated purpose.
For example, a company hiring for a new role should only ask for information relevant to the role. Requesting excessive personal information would be a breach of this principle.
You must destroy and/or delete unnecessary data
The data controller must destroy and/or delete any personal data when requested to do so. This is according to the data subject’s rights. One can request this at any time and applies to any data that is no longer accurate.
All companies should come up with a retention policy which shows the rationale and reasoning behind the retention period on certain data sets. This includes, where possible, a retention trigger date should be set to ensure complete data destruction is facilitated.
Creating a data deletion and retention policy is key to ensuring compliance to data protection regulations.
Any personal data a company processes must be held for a period that is reasonable and justified in line with the processing. Sometimes a request for erasure or deletion may not be possible. This because to delete the data would mean a data subjects request could be overlooked.
For example, a marketing opt out request needs to be flagged and recorded. The data cannot be deleted in its entirety because the contact may reappear at a later date. This would be particularly true if the company buys in marketing lists which could override the suppression request.
A more compliant option would be to supress the data in line with your firm’s legitimate interests to not override previous opt out requests and infirm the data subject of the reasons why you cannot fully erase their data.
The data must be accurate
As previously mentioned, requests to destroy inaccurate personal data are fair and valid. Keeping personal data up to date is an important principle. It's so crucial that companies must actively check with an individual the data that they hold is accurate.
For example, a customer emails address needs to be checked at regular intervals. This is performed to screen for spelling mistakes to ensure that personal data is not sent to an unintended recipient. When personal data is updated by an individual, onus is on a company to ensure that they update it correctly. This is true within the first instance and also to amend any other records held in unison so that all records on an individual are the most up to date and accurate.
Companies need to ensure that if they do transfer data outside of the EEA. To do so, an adequate level of protection is applied to the transfer such as a legal mechanism or safeguard.
These can take the form of BCR’s (binding corporate rules) SCC’s (Standard Contractual Clauses) or an Adequacy Decision.
Take into account the data subject’s rights
Above all else, one must respect a customer, client or employee’s rights. If the data is inaccurate, or it is causing the data subject distress, delete the data. A subject access request can request this data at any time.
Any living individual can make a request for their personal data. Under current legislation an individual has several rights to data.
A company is obligated to respond to an individual when they enforce one of these rights, such as making a subject access request, a request for data erasure or a right to data portability.
A company is legally obligated to respond to a request for access to data within an initial deadline of 30 days.
Data protection act summary
Those seeking a Data Protection Act 2018 summary should know some simple truths.
The Data Protection Act 2018 principles increase legal protection for sensitive information.
This sensitive information involves details of personal data including:
- Biometrics: biometric data is updating faster than people can establish protection acts. However, the 2018 update addressed biometrics as protected personal data.
- Personal beliefs and opinions: this includes a person’s religious beliefs or political opinions. Protecting this sensitive information intends to protect against potential discrimination. This could include a company only wanting to hire those that identify as Christian.
- Race and ethnicity: law classifies a person’s race and ethnic background as sensitive information. This is for the same reasons we can potentially use personal beliefs and opinions for discrimination.
- Health and genetics: this personal data may be common within the medical industry. Information about any illnesses, potential or current, should not be available to anyone but the patient and their doctor.
- Sexual orientation and lifestyle: this personal data might lead to discrimination. It may also need to remain private due to potential health implications.
- Trade union affiliation: while it may not seem like a common issue for modern days, an employee’s membership of a trade union should also be private. Specific industries may still see issues with or within trade unions. Any affiliation with one is sensitive information.
When there are destroy or delete requests for data, they must occur with undue delay. Some requests may even specify that this must occur within 72 hours.
Any failures to do so can result in hefty fines and damage a company’s image.
This swift call for action outlines how dangerous mishandling personal data can be.
Expert assistance from Peninsula
The ramifications for breaking data protection principles can be severe. Handling requests to destroy the information must be quick and efficient.
Peninsula has the expertise needed to ensure that your company or business doesn’t incur any of these negative effects. Get in touch with us today to see how we can help you.0800 028 2420