Data Protection - so what is it all about?

Okay so what is data protection? The responsibilities that you have as a business – will be covered in another Blog or you can download the Quick Audit which provides an explanation, I thought it would be useful to explain what data protection is all about and why it is important.

Back in 1998, the Data Protection Act 1998 replaced the 1984 act, which didn’t really cover digital media or computers. The 8 principles of the 1998 Act, guided the purpose and policies of ogranisations when they were using individual’s personal data. Personal data is information which enables an individual to be identified, directly from the information or in combination with other information that is held.

The 8 principles were, personal data should be:

  • Used fairly and Lawfully

  • Obtained for specified purposes

  • Adequate and not excessive

  • Accurate and kept up to date

  • Retained no longer than necessary

  • Processed in order to subjects rights

  • Protected by appropriate Security

  • Transferred outside EEA unless adequate protection

Do the above look similar? For those with a keen eye you will see that there isn’t that much difference between the DPA1998 Act and the dreaded GDPR which was touted as changing the way data was used. The main thing GDPR actually did (well apart from bringing the legislation into the 21st century – as I used to say when I was training my team – think about how the world and technology has changed since 1998 – I don’t think the internet even existed at that point – or if it did it was being used by scientists to communicate, it certainly hadn’t benefited from the Moore’s law effect*) was to make people accountable when they were using and collecting data. As a business if you were already following the DPA1998 Act then there weren’t many changes however unfortunately not many companies took it seriously. Well, GDPR changed this with the warning of big fines – up to £17.5 million or 4% of annual global turnover. This made many take the changes seriously especially those who understood the value of data to stand up and take notice. As these were the business that would be potentially impacted as a result.

*Moore’s Law – the principle that the speed and capability of computers can be expected to double every two years, resulting in exponential number of transistors a microchip can contain (Dictionary Definition).

So the UK GDPR (as it became known as when the UK left the EU) and the DPA 2018 which implemented the regulations into the UK legal system introduced the following 6 Privacy Principles:

  • Lawfulness, fairness and transparency

  • Purpose limitation

  • Data Minimisation

  • Accuracy

  • Storage Limitations

  • Integrity and confidentiality (Security)

  • Accountability

As you can see a lot of these principles were not new. With the exception of the Accountability principle – which as we have seen with many regulations bringing more people into account for when things go wrong.

So what does each of these principles mean:

Lawfulness, fairness and transparency – to process personal information there must be a valid reason for collecting the information. Gone are the days that you can collect information for the sake of it. If you don’t need the information, it should not be collected, and you shouldn’t keep hold of it. To evidence you have a valid reason for collecting the information you should understand which legal basis you are using and be able to explain this should you be queried. If you are collecting sensitive information – such as health information, religious information or children’s information there are additional considerations that you need to satisfy.

6 legal basis – more on the different legal basis another day – as you can see there is a lot more to this data compliance lark than just a privacy policy!

So, individual’s know what you are doing with your information you need to be able to explain what information you collect about them, why and what you do with it. This enables individuals to make an informed decision as to whether they would like you to borrow their information. the easiest way around this is to provide a privacy policy – however like with any regulations – to enable you to evidence compliance an audit trail should be evident – more information on that in another blog.

Remember GDPR was about putting the ownership of people’s data back into their hands. As companies, you are borrowing their information and like when you borrow things, if someone wants it back you need to ensure this happens. Also whilst you have the thing you are borrowing (i.e. the information) you are responsible for ensuring you are looking after it and treating it with care – including ensuring provisions are in place to adequately protect it and that it doesn’t get into the wrong hands.

Effectively the GDPR introduced a Web of Compliance. As data controllers (those businesses who collect the information and have control over what happens to it) if you are share it with other companies, you are still responsible for it, if they are processing it on your behalf. You therefore need to ensure you are happy that they have the right controls in place and if there are any issues you are notified as soon as possible as you have the responsibility. You can of course reduce some of the liability by ensuring you have appropriate agreements in place with any 3rd parties with whom you may share this data.

Purpose Limitation – you should only collect the information you need. For example, if you don’t need someone’s health information to provide a service to them you shouldn’t be collecting it. It’s not needed, you won’t be able to justify it and you are putting your business risk by holding data you don’t need.

Data Minimisation – again only hold the information you need. When looking at the data you collect you should think about how long you need it for. After this point you should have processes in place for you to delete this information – securely!

Accuracy – the information you hold should be up to date, so you should have systems in place to ensure the information is updated and refreshed on a regular basis. By keeping data forever and a day makes it more likely that the information is out of date, no longer accurate and you will find it hard to evidence compliance. If you hold information about an individual which is out of date, and they request it is updated this should be completed within one month of the request.

Storage limitations – the information should only be held for the period that you require it. This means you need to decide how long you need to keep personal information for, tip – this is generally tied into the legal basis, and after this time ensure it is deleted securely or anonymised (making it impossible to identify the individual from the information).

Integrity and Confidentiality – as a business you need to ensure you have adequate security measures in place to protect the personal information you collect, store. If you transfer personal information to a third party, you much also do this securely. Think Cyber security!

Accountability – this is worthy of a blog in it’s own right but very quickly. To be able to evidence compliance you need to be able to evidence this, evidence is generally an audit trail which explains and backs up what you have done and why, and where possible justify any actions, you have taken. As a business you need to be able to evidence you take responsibility for the personal information you borrow and what you do with it.

Hopefully this blog has provided some information as to why Data Protection is important and what things you need to consider as a business to ensure you are adhering to the data protection principles.

Want to know which areas of compliance you may be failing down on? – Undertake the check audit now.

 
My Business Genie

Empowering businesses to navigate Governance, Risk & Compliance with Finesse

Previous
Previous

Promise I Won’t Spam You