There has undoubtedly been a quite significant shift in emphasis on data protection, with legislation being implemented worldwide. Here we briefly summarise the law applicable in the United Kingdom.

Legislation

The GDPR (European Union General Data Principle Regulations) and the United Kingdom Data Protection Act 2018 (DPA) dovetail to govern data protection in the United Kingdom. The DPA is the United Kingdom’s legislation:https://www.gov.uk/data-protection to implement the principles of the GDPR. In light of “Brexit”, particularly a “no-deal Brexit”, the DPA will likely remain in force; however, the transfer of data between the United Kingdom and European Union countries may be further regulated.

Data, or “personal data” is generally defined as any personal information which can be used to identify someone. This ranges from the obvious examples of name, contact details, and address, to medical records, race, gender, political affiliation and religion.

To process data means to in any way “touch” the data; whether it is captured, stored or transferred by the organisation.

Principles

The general principles of the DPA are:

  • Lawfulness, fairness and transparency; data must be processed lawfully and in a transparent manner
  • Purpose limitation; data must be collected for a specified and legitimate purpose
  • Data minimisation; only data necessary for the purpose of collection should be processed
  • Accuracy; data must be accurate and kept up to date
  • Storage limitation; data must only be stored unencrypted for the period for which it is actually processed
  • Integrity and confidentiality (security); data must only be processed in a manner which does not expose it to loss or destruction; and
  • Accountability; an organisation must be able to display the steps it has taken to abide by the principles as required

Governing Body

The Information Commissioner’s Office (ICO) is the governing body in the UK which enforces the DPA and GDPR.

All organisations which process data must register with the ICO, and failure to do so is a breach of the DPA. If a data subject, (a person whose data is processed), lodges a complaint with the ICO regarding a violation of practices, the ICO will investigate that entity, to determine if they are in breach of the DPA and GDPR, and issue an enforcement notice or fine.

Sanctions

In terms of the DPA, the ICO is authorised to issue enforcement notices, as well as fines of up to £500000. If an organisation breaches the EU GDPR (EU citizens data), this could result in a fine of 4% of the entities annual global turnover or €20 million.