Introduction to The General Data Protection Regulations
The EU General Data Protection Regulation (DPA 2018) represents the most significant change in UK privacy law in 20 years. DPA 2018 places important new obligations on any business that handles the data of individuals living in the EU, independent of where the business is located. There are those that originally thought DPA 2018 it would not affect the UK due to Brexit, it most certainly will affect the UK. Companies up and down the country will need to prepare themselves in order not to fall foul of the new legislation.
Non-compliance with the new rules may bring severe sanctions for serious offenders.
The UK version of GDPR is The Data protection Act 2018 and is, like the old Data Protection Act (DPA), underpinned by a number of data protection principles which drive compliance. The data protection principles under DPA 2018 are similar to those found in in the old DPA, with one or two amendments.
The following guide will help you understand what is involved.
What do the Terms Mean?
|Personal data||Information about living or identifiable individuals. This need not be particularly sensitive information and can be as little as a name and address.|
|A relevant filing system||Any set of information relating to individuals and structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible. It is for Data Controllers to assess their manual records in the light of this definition.|
|Data Controllers||Those who control the purpose for which and the manner in which personal data is processed. This can be any type of company or organisation, large or small, within the public or private sector. A Data Controller can also be a sole trader, partnership, or an individual.|
|Data Subjects||The individuals to whom the personal data relates.|
|Data Processor||The obtaining, recording, holding, adapting, altering, using, disclosing or destroying of any personal data.|
Special category data
Special category data is personal data which the DPA 2018 says is more sensitive, and so needs more protection. There are more categories than under the DPA and any data collected that fall into these areas should be treated with care.
- ethnic origin;
- trade union membership;
- biometrics (where used for ID purposes);
- sex life; or
- sexual orientation.
If personal data is held falling into these categories it is likely that the explicit consent of the individual concerned is required. Explicit consent means that the consent of the Data Subject should be informed and freely given and should signify the Data Subject’s specific agreement.
The Information Commissioner has responsibility to enforce DPA 2018. The Commissioner is an independent public official who currently reports to EU and also has the further following duties:
- to disseminate information and promote good practice by Data Controllers
- to disseminate codes of practice for guidance as to best practice
If personal information is held about living individuals on computer or processed on computer by others (for example, a computer bureau or accountant), notification will probably be required under DPA 2018.
Data Controllers are prohibited from processing personal data without notifying the commissioner of their holding of personal data.
There are two ways to make an application to notify the Information Commissioner – via their website which has an online notification form as well as a question-and-answer section to check whether notification is necessary or by phone on 01625 545 745.
According to the definition in DPA 2018, a Data Controller must decide the purposes for and the way in which personal data is, or will be, processed.
Essentially the principles must be applied to individual situations by individual Data Controllers and the onus is on the Data Controller, to ensure that use of data does not breach these principles.
Non-compliance with the principles is not a criminal offence, but if the Commissioner considers that one or more of the principles has, or is being breached, the Commissioner can take enforcement action against the Data Controller by issuing an enforcement notice.
If a Data Controller receives an enforcement notice they are entitled to appeal to the independent Data Protection Tribunal. If the Tribunal upholds the Commissioner’s decision, failure to comply becomes a criminal offence. However, the Tribunal may substitute its own decision for the Commissioner’s if it sees fit.
The Data protection Act 2018 Principles
There are a set of principles put in place under DPA 2018 that are basically the same as the old DPA to make sure that information is handled correctly.
|1||Lawful, fair and transparent||When information is collected from individuals, organisations should be open and honest about why they want it. In addition, they must have a legitimate reason for processing the data.|
|2||Data minimisation||Data collected on a subject should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. In other words, no more than the minimum amount of data should be kept for specific processing.|
|3||Purpose limitations||Personal data can only be controlled for specified, explicit and legitimate purpose. Data can only be used for a specific processing purpose that the subject has been made aware of and no other, without further consent.|
|4||Accuracy||Data must be accurate and where necessary kept up to date|
|5||Storage of personal data||Regulator expects personal data is kept in a form which permits identification of data subjects for no longer than necessary. Once you no longer need personal data for the purpose for which it was collected, you should delete it unless you have other grounds for retaining it|
|6||Integrity and confidential||Requires processors to handle data in a manner that ensure appropriate security of the personal data including protection against unlawful processing or accidental loss, destruction or damage using the appropriate measures.|
Right of Access
DPA 2018 was created to protect the rights of individuals. And this means that a uniform set of rules are in place that is applicable to all companies who will fall under the DPA 2018 banner.
Every individual (‘The Data Subject’) is entitled to request companies they have dealt with as to what personal data they hold.
This information should be made available within one month of receiving the request. The only exception is if the data is more complex than normal.
Right to prevent processing which is likely to cause damage
An individual may challenge the accuracy of the personal data, in this instance you should restrict the processing until you have verified the accuracy of the personal data.
Right to prevent processing for direct marketing
Under DPA 2018 any firm that collects your data can only use it for the intended purpose. If an organisation intends to pass personal data to other companies for direct marketing purposes, then the express permission of the data subject should be gained.
Storage of Client Data
DPA 2018 does not set out any specific minimum or maximum periods for retaining personal data. Instead, it says that:
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
This in practice, means that Langton London (The Firm) will need to:
- review the length of time we keep personal data;
- consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
- securely delete information that is no longer needed for this purpose or these purposes; and
- update, archive or securely delete information if it goes out of date.
The Firm will only keep lapsed files for as long as necessary and for no longer than 6 years. Liability files will only be kept past 6 years if there is an ongoing claim or complaint. They will then be securely destroyed by shredding and secure disposal.
Electronic files are kept on the Acturis cloud server.
1. DATA SECURITY
Data Security – Staff Procedures
Security of client information is very important to clients and to Langton London (The Firm). The Firms policy is that we will be proactive in securing client information and to achieve this, all staff must follow the procedures set out below.
- ALL workstations and laptops are to be password protected at all times.
- Care must be taken to file away client files when not in use and not to leave files on desks overnight. (it is appreciated that there will be very little if any hard copy data)
- Computers should not be left on and unattended unless they are locked
- At night cabinets containing paper files/data must be locked.
- Any files removed from the premises for client visits must be logged out and logged back in using the register provided.
- Any removed files must be locked in the boot when being transported.
- Staff must not copy client information from computers onto disks or memory sticks etc other than company back-up discs or tapes.
- Any paper documents containing client information that are not needed must be shredded.
- When receiving payments or making refunds by credit card the specific procedures appended to this must be followed.
- At night, the office closing procedures appended must be followed.
- Clients visiting the premises must only use the client entrance (to reception) and if entering main offices must be escorted by a member of staff.
- Computer files are to be backed up from the main frame and placed in a fireproof safe each night.
- Staff will complete the Development Zone ‘DPA 2018 & Data Security’ assessments at the start of their employment and then approximately every 12 months.
The above procedures are mandatory, disciplinary action will be taken against any person who breaches these rules.
The last person to leave the office will check that all workstations and printers are switched off.
That the doors and windows are locked upstairs, set the alarm and leave by the front door (locking the door behind them).
This is a declaration to confirm that I have read, understand and will follow the firm’s procedures detailed above when dealing with client information.