Data Protection

The Data Protection Act 2018 along with the General Data Protection Regulations (GDPR) regulates the way personal data is handled by businesses and organisations and what rights the subject has to control it.

Any business that obtains, records or holds personal information needs to comply with the principles of the Act. Personal information is essentially any information that can identify a living individual and specifically includes opinions about them or outcomes for them.

Data Controllers own and are responsible for data, they decide what information they need and how they will process it.

Data Processors process data on behalf of a Data Controller under their instruction, but are not employed by them.

Essentially information must be:

  1. used fairly and lawfully
  2. used for limited, specifically stated purposes
  3. used in a way that is adequate, relevant and not excessive
  4. accurate
  5. kept for no longer than is absolutely necessary
  6. handled according to people’s data protection rights
  7. kept safe and secure
  8. not transferred outside the European Economic Area (without adequate protection for the rights and freedoms of data subjects in relation to the processing of personal data)

The business needs to pay the data protection fee unless exempt. There is a self-assessment questionnaire on the Information Commissioner’s website to help you decide if you need to pay the fee, you can access it by following this link which opens in a new window.

The act also deals with data subjects’ rights. When you collect data you need to be transparent about why you are collecting it and how you will use it. This should be set out in an easy to find (and read) privacy policy. When you share data you need to make it clear why and with whom you are sharing it.

Subject access requests and data breaches are also covered in detail, along with security measures to take to protect the data.

There are specific requirements and guidance if you outsource your data handling to a third party, data processor, requiring suitable diligence and written agreements. If you use CCTV, cloud computing or engage in direct marketing, to name but a few, there is also specific guidance available.

The Information Commissioner is the regulator and can impose substantial penalties for infringements.

Data subjects have a right to claim compensation if a company has caused them damage by a breach.

If you are unsure of where you stand you may be interested in our Data Protection MOT >read more…