Data Protection Act Updates to Coverage

And How Does It Affect Businesses?

After many years of development and its introduction in 2016, both the EU’s General Data Protection Regulation and the UK’s Data Protection Act were formally made enforceable on 25^th May 2018. As the UK’s state specific adoption of GDPR, the DPA 2018 aimed to address several decades of technological and legislative development.

Replacing and advancing the preceding DPA 1998, this new updated piece of data protection legislation sought to not only improve the standards and practices of organisations dealing with personal data, but the DPA has also helped to elevate the data rights of citizens.

The introduction of the DPA also enabled UK’s Data Protection Authority, the Information Commissioner’s Office (ICO) to enforce these rules with the power to levy fines far greater than ever before.

At the time of the introduction of the GDPR, the Information Commissioner noted that they would not be looking to ‘make examples’ of non-compliant companies, but now, two years on, there is very little in the way of excuses for failure to comply.

Data Protection Fines

From the Reasonably Small…

In June of 2019 the ICO announced a fine of £90,000 being levied against a home security company by the name of Smart Home Protection Ltd. Having made 118,000 unlawful marketing calls to individuals registered with the Telephone Preference Service (TPS), a service which is designed to stop such calls.

Having received 125 separate complaints about the company, the ICO Director of Investigation stated the offending company “should have been fully aware of their data protection obligations.” Adding, “it is a company’s responsibility to…make sure that it has valid consent to make marketing calls.”

…to the Very Big

Following what was referred to as a ‘serious breach of data protection law, in 2018, the ICO announced the (then) maximum fine possible against social media giant Facebook. The failure to properly secure personal data in question had occurred between 2007 and 2014, and as such was only subject pre-GDPR level fines.

Had the incident(s) taken place after May of 2018, then the maximum fine could have been an astounding £1.7 billion. A total equivalent to 4% of Facebook’s total global turnover from the year previously.

What Does GDPR Not Cover?

As noted, there are certain instances in which an organisation, normally governed by the Data Protection Act, may in certain circumstances have a reason not to fully comply, there are also whole areas in which the Data Protection Act is not applicable to the processing of personal data.

Personal or Household Activities – The processing of personal data outside or unrelated to a commercial or professional use, such as ‘household’ activities, thankfully doesn’t fall within the purview of data protection regulation. As such, you won’t be obliged to pay the data protection fee should you need to SMS your aunt, nor are you likely going to be facing any fines.

Law Enforcement – Though governed by its own stringent set of rules, and definitely required to adhere to many data protection rules, the handling of personal data for the purposes of law enforcement falls outside of the scope of the GDPR specifically, but is addressed within part 3 of the DPA.

National Security – As with law enforcement, matters of national security are again not covered by the GDPR, but are a state specific matter, which in the UK is outlined in part 2 of the DPA.

Are there Exemptions to Data Protection Regulation?

Having establish who does the Data Protection Act apply to, you may be asking; ‘what kind of exemptions exist?’ With the integration of GDPR into UK law, certain exemptions to the Data Protection Act were included. Making use of the derogations included in GDPR, the UK legislature’s included exemptions applying to many aspects of the Act, though many apply only in similar circumstances.

Whether an exemption is valid largely relies on the reasons for processing data. Should compliance with the DPA either a) prejudice the purpose for processing, or b) prevent or substantially impair the ability to process data in a way which is required or necessary for the purpose, then exemption may indeed by justifiable. Of course, an exemption would also be valid should compliance conflict with other legal duties or boundaries.

Overall, the ICO advices that any exemption should not be routinely relied upon and should be justified and documented on an individual basis. Exemptions to the DPA also do not relieve an organisation of all of the data protection responsibilities, i.e. an exemption may only apply to a subject access request (SAR) and not the right to rectification.

Generally speaking, though exemptions exists, unless there are unique circumstances relating to data protection practices, organisations should be compliant. If you’re looking for further details, the ICO provides a detailed and extensive explanation on the many exemptions.

Necessary Security Protocols

Pseudonymisation’

The GDPR encourages ‘pseudonymisation’ of personal data. The replacement of identifiable personal data with codenames, that require a separate set of information to identify any of the data subjects. Pseudonymisation allows personal data to be processed without identifiable data points being immediately available, thus protecting subject identity.

Data Minimisation

Data minimisation is the practice of collecting and processing as little data as required for its given purpose. As with pseudonymisation, this method should be implemented to reduce the impact should a breach occur, whilst also helping to maintain the rights of individuals.

Password Protection and Encryption

When working with any kind of personal data, it should be standard practice that information is adequately password protected and encrypted. Having controls to restrict access or obfuscate information is paramount in protecting the rights of individuals, whilst also upholding the principles of the Data Protection Act.