Data Protection Rules
a. The Data Protection Act 2018 (DPA 2018) came into effect in May 2018 to coincide with the General Data Protection
Regulation (GDPR) and the law enforcement directive LED 2016/680 EC. It aims to modernize data protection laws to
ensure they are effective in the years to come
b. GDPR is effective across all 27 EU countries even though they are allowed time for its implementation in each country. In
the UK, these have been included as part of the DPA 2018, it is then important to read both GDPR and the DAP 2018 side
by side.
c. DPA 2018 elements include:-
General data processing:
1. Implement GDPR standards across all general data processing
2. Provide clarity of the GDPR terms to UK citizens
3. Ensure that sensitive Health, Social Care and Education data can continue to be processed to ensure continued confidentiality in
health and safeguarding situations can be maintained
4. Provide appropriate restrictions to rights to access and delete data to allow certain processing currently undertaken to continue where there is a
public policy justification, including for national security purposes.
5. Set the age from which parental consent is not needed to process data online from age 13, supported by a new age-appropriate design code enforced
by the information commissioner.
1. Enact additional powers for the information commissioner who will continue to regulate and enforce
data protect laws.
2. Allow the Commissioner to levy higher administrative fines on data controllers and processors for the
most serious data breaches; being up to £17 million (20 million Euros) or 4% of global turnover
3. Ensure that sensitive Health, Social Care and Education data can continue to be processed to ensure
4. Empower the Commissioner to bring criminal proceedings for offences where a data controller or
processor alters records with the intent to prevent disclosure following a subject assess request.
Who does GDPR apply to?
1. To both ‘controllers’ and ‘processors’ The definition are broadly the same as (DPA 1998).
2. Controller says how and why personal data is processed and the processor acts on the controller’s behalf.
3. Legal requirement – Firms are required to maintain records of personal data and processing activities.
4. Breaches – there is now more significant legal liability. These obligations are a new requirements for Processors.
5. Controllers are still accountable for data breaches by Processors, Controllers)must ensure these contracts comply with the GDPR regulations
What information does GDPR apply to?
1. GDPR applies to personal data. However, this also reflect changes in technology and how data is collected ( e.g., an IP address is personal data.)
2. GDPR applies to automated personal data and to manual filing systems where personal data is accessible according to personal criteria.
What information does GDPR apply to cont’d?
3. This is wider than the DPA’s wider definition and can include chronologically ordered sets of manual
records containing personal data.
4. GDPR applies to automated personal data and to manual filing systems where personal data is
accessible according to personal criteria.
5. Personal data that has been anonymized (key coded) can fall within the scope of the GDPR depending
on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive Personal Information:
Race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (used in passports), health,
sexual life or sexual orientation.
Principles:
1. Under GDPR, the data protection principles set out the responsibilities for organizations (similar to DPA 1998).
2. The most significant addition is an accountable principle – firm must show they comply with the GDPR. An example is where they can show documentation of how they comply with a processing activity.
Data Protection Principles:
All personal data must be:
1. Processed lawfully, fairly and in a transparent manner in relation to individuals
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they were processed.
4. Accurate and where necessary, kept up to date
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and
against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Lawful Processing:
For processing to be lawful under GDPR , firms need to identify a lawful basis before they can process personal data and document it. It is significant as it
has an effect on individual rights (where firms rely on an individual’s consent, stronger rights even to have your data deleted)
Consent:
1. Under GDPR, this must be a freely given, specific, informed and an unambiguous indication of the individual’s wishes.
2. There must be some form of positive opt in, cannot be inferred from silence, pre-ticked boxed or inactivity. It must also be simple to withdraw consent.
3. Consent must also be separate from other terms and conditions and be verifiable.
4. Firms can rely on other lawful bases apart from consent. For example, where processing is necessary for
the purposes of an organization’s or a third party’s legitimate interest.
5. Firms were not required to automatically refresh all existing DPAs existing consents in preparation for
the GDPR but if they relied on individual’s consent to process their data, these must meet GDPR’s standards. If not,
6. firms must either alter the consent mechanisms and seek fresh GDPR consent or find an alternative to consent.
Rights:
The GDPR created some new rights for individuals and strengthens some of those that existed under DPA
a. The right to be informed
b. The rights to access
c. The right to rectification
d. The right to erasure
e. The right to restrict processing
f. The right to data portability
g. The right to object
h. Rights in relation to automated decisions making and profiling
Data Subject Access Request (DSAR):
1. Under GDPR individuals have the right to access their personal data. In a financial services firm, this would mean
providing all the records the firm holds on a particular client such as notes summerising conversations, any recorded
conversations and completed documentation.
2. A DSAR request can be made verbally or in writing using
3. The response time for the organization is usually 1 month, but can be 2 months in certain circumstances
4. If the organization fails to respond, the client must first complain to the organization. If still no reply, they can now
complain to the information commissioner.
5. The first copy of the personal data must be free but a reasonable charge to cover administrative can be charged for
subsequent copies if the organization finds such unfounded or excessive.
Accountability and Governance:
Under GDPR this is most significant as firms are expected to have in place comprehensive but proportionate governance
measures. Good practice tools such as private impact assessments and privacy by design are now legally required in
some circumstances. Finally, practically this can mean more policies and procedures for some, others already have such.
Breach notification:
GDPR has a requirement for firms to report some types of breaches to the supervisory authority and in some cases to the
individuals affected.
Transfer of personal data to third party countries or international organizations:
GDPR restrict firms from transferring personal data outside the European Union to third party countries or international
organization to ensure the GDPR protections are not compromised.