And How Does It Affect Businesses?

After many years of development and its introduction in 2016, both the EU’s General Data Protection Regulation and the UK’s Data Protection Act were formally made enforceable on 25th May 2018. As the UK’s state specific adoption of GDPR, the DPA 2018 aimed to address several decades of technological and legislative development.

Replacing and advancing the preceding DPA 1998, this new updated piece of data protection legislation sought to not only improve the standards and practices of organisations dealing with personal data, but the DPA has also helped to elevate the data rights of citizens.

The introduction of the DPA also enabled UK’s Data Protection Authority, the Information Commissioner’s Office (ICO) to enforce these rules with the power to levy fines far greater than ever before.

At the time of the introduction of the GDPR, the Information Commissioner noted that they would not be looking to ‘make examples’ of non-compliant companies, but now, two years on, there is very little in the way of excuses for failure to comply.

Exactly Who Does the Data Protection Act Apply To?

Though following the same basic outline, it’s worth noting that while the GDPR is applied across Europe, the UK’s Data Protection Act and its various deviations only applies to professional or commercial organisations handling personal data within the UK.

As a piece of legislation, the DPA 2018 relates to any organisation that makes use of personal data. Under the GDPR, personal data is defined as being any information relating to an identified or identifiable person, that could be used, or potentially used to identify an individual.

There is also another class of personal data, referred to as special category data. A particularly sensitive class of data which can include information relating to an individual’s religious or political beliefs, medical data etc. This special category data is subject to additional security responsibilities, as a breach of this sensitive information could have especially serious consequences.

International Transfer of Data

The regulation regarding the international transfer of data was originally included as the 8th principle of the DPA 1998, and is now included as one of the seven principles of the GDPR and DPA 2018.

Detailed within Chapter 5 of the GDPR, regulation now asserts that any personal information collected on EU citizens, or anyone within the EU, can only be transferred out of the EU providing that the recipient state is sufficiently compliant with the principles and practices of GDPR.

Alternatively, personal data can be potentially transferred out of the EU without these GDPR standards in place, providing that the personal data in question is sufficiently pseudonymised.

Essentially applying to any organisation wishing to work with EU collected personal data, the GDPR and DPA has had major implications for many international businesses, especially those within the technology sector.

Given that many of the biggest social media companies are based in America, these organisations have had to tighten up security practices for risk of significant fine, with many building data centres within host countries to avoid issues relating to international transfers.

Data Protection Fines

From the Reasonably Small…

In June of 2019 the ICO announced a fine of £90,000 being levied against a home security company by the name of Smart Home Protection Ltd. Having made 118,000 unlawful marketing calls to individuals registered with the Telephone Preference Service (TPS), a service which is designed to stop such calls.

Having received 125 separate complaints about the company, the ICO Director of Investigation stated the offending company “should have been fully aware of their data protection obligations.” Adding, “it is a company’s responsibility to…make sure that it has valid consent to make marketing calls.”

…to the Very Big

Following what was referred to as a ‘serious breach of data protection law, in 2018, the ICO announced the (then) maximum fine possible against social media giant Facebook. The failure to properly secure personal data in question had occurred between 2007 and 2014, and as such was only subject pre-GDPR level fines.

Had the incident(s) taken place after May of 2018, then the maximum fine could have been an astounding £1.7 billion. A total equivalent to 4% of Facebook’s total global turnover from the year previously.

What Does GDPR Not Cover?

As noted, there are certain instances in which an organisation, normally governed by the Data Protection Act, may in certain circumstances have a reason not to fully comply, there are also whole areas in which the Data Protection Act is not applicable to the processing of personal data.

Personal or Household Activities – The processing of personal data outside or unrelated to a commercial or professional use, such as ‘household’ activities, thankfully doesn’t fall within the purview of data protection regulation. As such, you won’t be obliged to pay the data protection fee should you need to SMS your aunt, nor are you likely going to be facing any fines.

Law Enforcement – Though governed by its own stringent set of rules, and definitely required to adhere to many data protection rules, the handling of personal data for the purposes of law enforcement falls outside of the scope of the GDPR specifically, but is addressed within part 3 of the DPA.

National Security – As with law enforcement, matters of national security are again not covered by the GDPR, but are a state specific matter, which in the UK is outlined in part 2 of the DPA.

Are there Exemptions to Data Protection Regulation?

Having establish who does the Data Protection Act apply to, you may be asking; ‘what kind of exemptions exist?’ With the integration of GDPR into UK law, certain exemptions to the Data Protection Act were included. Making use of the derogations included in GDPR, the UK legislature’s included exemptions applying to many aspects of the Act, though many apply only in similar circumstances.

Whether an exemption is valid largely relies on the reasons for processing data. Should compliance with the DPA either a) prejudice the purpose for processing, or b) prevent or substantially impair the ability to process data in a way which is required or necessary for the purpose, then exemption may indeed by justifiable. Of course, an exemption would also be valid should compliance conflict with other legal duties or boundaries.

Overall, the ICO advices that any exemption should not be routinely relied upon and should be justified and documented on an individual basis. Exemptions to the DPA also do not relieve an organisation of all of the data protection responsibilities, i.e. an exemption may only apply to a subject access request (SAR) and not the right to rectification.

Generally speaking, though exemptions exists, unless there are unique circumstances relating to data protection practices, organisations should be compliant. If you’re looking for further details about the many exemptions, the ICO provides a detailed and extensive explanation here.

Necessary Security Protocols

Pseudonymisation’

The GDPR encourages ‘pseudonymisation’ of personal data. The replacement of identifiable personal data with codenames, that require a separate set of information to identify any of the data subjects. Pseudonymisation allows personal data to be processed without identifiable data points being immediately available, thus protecting subject identity.

Data Minimisation

Data minimisation is the practice of collecting and processing as little data as required for its given purpose. As with pseudonymisation, this method should be implemented to reduce the impact should a breach occur, whilst also helping to maintain the rights of individuals.

Password Protection and Encryption

When working with any kind of personal data, it should be standard practice that information is adequately password protected and encrypted. Having controls to restrict access or obfuscate information is paramount in protecting the rights of individuals, whilst also upholding the principles of the Data Protection Act.