How protected is your data

GDPR was introduced in 2018 through the The Data Protection Act 2018 as the UK’s implementation of the EU’s General Data Protection Regulation (GDPR). Under the Act, everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:

• used fairly, lawfully and transparently
• used for specified, explicit purposes
• used in a way that is adequate, relevant and limited to only what is necessary
• accurate and, where necessary, kept up to date
• kept for no longer than is necessary
• handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage

There is stronger legal protection for more sensitive information, such as:

• race
• ethnic background
• political opinions
• religious beliefs
• trade union membership
• genetics
• biometrics (where used for identification)
• health
• sex life or orientation

There are separate safeguards for personal data relating to criminal convictions and offences.

Your rights

Under the Data Protection Act 2018, you have the right to find out what information any organisation stores about you. These include the right to:

• be informed about how your data is being used
• access personal data
• have incorrect data updated
• have data erased
• stop or restrict the processing of your data
• data portability (allowing you to get and reuse your data for different services)
• object to how your data is processed in certain circumstances

You also have rights when an organisation is using your personal data for:

• automated decision-making processes (without human involvement)
• profiling, for example to predict your behaviour or interests

Coming down the track…

Since Brexit, the government has said that it wants to diverge from the EU standard for data protection and replace certain aspects of GDPR with its own version. There is some concern that the provisions in its new draft legislation, the latest version called the “Data Protection and Digital Information (No. 2) Bill”, will make things less protected for consumers.

What is the Data Protection Act?

The Data Protection Act, as it stands, makes GDPR tailored to the UK by setting out separate data protection rules for law enforcement authorities, extending data protection to areas of national security and defence, and setting out the Information Commissioner’s functions and powers.

The Data Protection Act applies to any organisation, person or government that uses or holds personal data on individuals within the EU and UK.

Although the Act tailors and incorporates GDPR standards, and so the two are similar in many ways, there are key differences between the two, such as the Act covering standards outside the scope of the GDPR, more detail on that below!

What are the principles of the Data Protection Act?

For any organisation or business that processes personal data, the Act outlines 6 ‘data protection principles’. In order to avoid any penalties and fines, and to help secure the rights of your customers, companies must make sure the personal data is:

• Processed lawfully, fairly and transparently - Companies need a legal basis under the GDPR for collecting and using personal data. They should use personal data in a way that is fair, and not in a way that’s excessively detrimental or misleading to the individuals concerned. They should also be clear and honest with people from the start about how you will use their personal data.
• Used for specified, explicit, and legitimate purposes - Companies need to be clear about their purpose for processing personal data from the start, and the processing must be necessary and proportionate to this specified purpose. They shouldn’t use data for any other purpose than specified unless you get consent from the data subject or have a clear obligation set out in law.
• Processed in a way that is adequate, relevant and limited to only the purpose for which it was collected - Companies should collect enough data so that they can properly fulfil their purpose, but it should only be data that is relevant to that purpose. They shouldn’t hold more data than they need.
• Accurate and, where necessary, kept up to date - Companies should take reasonable steps to ensure that the personal data they hold isn't incorrect or misleading, and if it is, that it's erased or rectified as soon as possible. Companies may also need to keep personal data up to date depending on the type of data. The quality of personal data also needs to be verified before its processed, and the information used to verify it should be documented.
• Kept for no longer than is necessary - Personal data should not be kept for longer than it's needed to fulfil its purpose. Companies must be able to justify this time period. For example, data can be kept longer if you're only keeping it for public interest archiving or scientific or historical research. Data should be periodically reviewed, erased or anonymised if it's no longer needed.
• Handled in a way that ensures appropriate security - Companies need to ensure personal data is processed using appropriate technical or organisational measures, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. This is needed to ensure individual confidentiality and integrity.

There’s also stronger legal protection for more ‘sensitive’ information, such as: race, ethnic background, political opinions, religious beliefs, trade union membership, health, genetics, sex life or orientation, and criminal offence data. This is called ‘special category data’.

Unlike other personal data, there are special conditions for processing special category data, for example, you can’t claim ‘legitimate interest reasons’ and use special category data such as health to market for your pharmaceutical business. Companies must also take extra precautions to ensure the security of this data. Sometimes a company is required to hold an ‘appropriate policy document’ where it describes the data processed, the reasons for processing this data, and the procedures followed to ensure all six principles have been met.

What is the difference between the Data Protection Act and GDPR?

The GDPR applies in all EU Member States without needing to be implemented by national legislation. This means that the Data Protection Act 2018 doesn’t need to re-state the GDPR as organisations have to comply with GDPR anyway, and the two should be looked at side by side. However, GDPR gives Member States opportunities to make provisions for how it applies in their country specifically.

The differences between the GDPR and Data Protection Act 2018 (DPA) are:

• The DPA states that a child can consent to data processing at age 13, whilst the GDPR sets this at 16
• The GDPR requires those processing criminal data to have official authority, the DPA does not
• The GDPR states that data subjects have a right not to be subject to automated decision making and profiling, whereas the DPA allows for this whenever there are legitimate grounds for doing so and their individual rights and freedoms are protected
• The DPA allows some of the rights of data subjects, ensured by the GDPR, to be ignored if they hinder an organisation’s ability to carry out their functions when processing data for historical, scientific, statistical and archiving purposes
• The DPA provides additional lawful bases than the GDPR for processing sensitive personal data. With appropriate safeguards, it's permitted for use in cases of employment, social security, and social protection purposes, health and social care purposes, archiving, research and statistics purposes, public interest purposes, and criminal convictions data
• The GDPR gives Member States the opportunity to balance the right to privacy with the right to freedom of expression and information. The DPA uses this opportunity and provides an exemption from certain personal data protections when personal data is processed for publication in the public interest.

The DPA is also wider in scope than the GDPR and covers areas such as:

• Criminal sanctions and fines for GDPR infringements, for example, the introduction of an unlimited fine for the new offence of intentionally or recklessly re-identifying individuals from anonymised data
• Processing relating to national security and immigration
• The duties and powers of the UK’s Information Commissioner’s Office (ICO).

Who enforces the Data Protection Act?

Since the UK left the EU, the Act is governed solely by the UK justice system.

The Act gives additional powers for the Information Commissioner to regulate and enforce data protection laws. The Commissioner has the power to fine data controllers and processors up to £17m or 4% of global turnover for the most serious data breaches. The Act also allows the Commissioner to bring criminal proceedings against offences where a data controller or processor alters records with intent to prevent disclosure following a subject access request.

Whatever next?

It seems part of the government’s most recent proposed bill regarding data protection, the “Data Protection and Digital Information (No. 2) Bill”, aims to cut away at some requirements on businesses to keep records and undertake proactive oversight of their data processing activities. This could have implications for their ability to respond to user requests related to data, whether related to data portability where the consumer wishes to enable sharing their personal data with another organisation, or indeed where they want their data completely erased. Reducing the need for businesses to provide comprehensive accounts of what information may have been exposed if they suffer a security breach could be interpreted as a regressive step.

Even if the aim of the government is to ‘reduce paperwork for businesses’, if it leads to companies being unable to respond to ‘subject access requests’ because they don’t actually know what data they have on any individual any more, that doesn’t feel like it’s in the interests of consumers. Watch this space.

Protecting your data

Under the Data Protection Act, fuelled by GDPR, you have the right to ask any organisation what data they have on you and you have the right to ask that it be deleted. Our data gets left behind in a mass of places that we often forget about, or don’t even know about. We sometimes refer to this phenomenon as your ‘digital footprint’, the trail of data that gets left behind through any online activity, from internet shopping to social media posts and comments, what we read on news sites, critical personal data that we leave on websites such as credit card data, bank details, passport information, names, addresses, emails - the list is almost endless.

The problem with all that personal data sitting out there is that it’s vulnerable to abuse. And it can get abused when hackers break into company databases and access personal data. They can sell it on to scammers who will use it to trick you into parting with further information, con you into parting with money or even commit identity theft which is devastating both financially and emotionally and can impact long term credit status.

GDPR was designed to help protect people from their data being abused. It gives you the right to get your data deleted from any organisation that no longer needs it. The easiest way to find out who has your data and ask them to delete it is to use our Rightly Protect service. It’s quick, simple and free.