Data Protection
What does data protection mean?
Data protection (sometimes shortened to ‘DP’) is a human right. It gives living individuals in those parts of the world which have data protection laws (most countries) the power to control how information which can identify them (‘personal data’) is used (‘processed’) by others, including organisations. This is what is meant by data ‘protection’ – people protecting their valuable, sometimes sensitive, data from being exploited, stolen, lost, compromised or otherwise misused.
What are the 7 principles of the
General Data Protection Regulation (GDPR)?
The seven principles of the GDPR are:
- Lawfulness, fairness, and transparency
- Purpose limitation (only using personal data for specified, explicit purposes)
- Data minimization (not using more data than you need)
- Accuracy
- Storage limitation (not keeping data for longer than is required for the purpose or by law)
- Integrity and confidentiality
- Accountability.
All organisations which are subject to the General Data Protection Regulation (GDPR) have to abide by these principles and be able to show evidence of their compliance. People (‘data subjects’) can enforce these principles by exercising what are called ‘data subject rights’. There are eight of these in the GDPR, including the right of subject access and the right to erasure.
What are examples of measures which your organisation
can use to protect personal data?
Examples of data protection measures include encryption, access control, data backup and recovery, data masking, and data destruction.
If you’re looking for support in achieving compliance with the General Data Protection Regulation (GDPR) and other data protection-related legislation, and then maintaining it, URM can provide you with a wide range of services.
What are 4 key components of the GDPR?
4 key components of the GDPR, in URM’s estimation, are:
- The principles (and in particular the duty of accountability)
- The requirement that all processing must have at least one lawful basis (from a list of only six in the Regulation)
- The obligations on organisations to produce, maintain and provide statutory documents to help prove their compliance
- The very large fines that data protection regulatory authorities can impose on organisations which break the law.
What are the basics of data protection from
an organisational perspective?
When processing people’s personal data, your organisation must do so lawfully and ensure that personal data is secure, confidential, and only accessible to authorised personnel. Your organisation must also implement measures to protect data from unauthorised access, use, disclosure, destruction, or modification.
Why are the data protection principles important?
The data protection principles are important because they ensure that personal data is processed in a lawful, fair, secure, and transparent manner. They also ensure that individuals have control over their personal data and that organisations are held accountable for how they use it.
What are the 8 data subject rights of GDPR?
The 8 rights the GDPR provides all individuals with are the rights to:
- Be informed
- Access their data
- Rectification
- Erasure
- Restrict processing
- Data portability
- Object
- Not to be subject to automated decision-making.
How many data protection laws are there in the UK?
There are many laws which have a bearing on people’s privacy in the UK, but the main ones are: the Data Protection Act 2018; the UK GDPR (which is the version of the GDPR which applies to the personal data of people in the UK); the EU GDPR (which is the original version of the GDPR which still applies in the UK to EU people’s data processed by UK organisations); and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
Is the UK still covered by the GDPR?
Yes, but following Brexit there are now two versions of the GDPR in the UK (the only country in the world which has this!). There is the UK GDPR which applies to the data of people who are in the UK processed here or around the world, and the original EU GDPR which still applies to the processing in the UK or elsewhere of data of people who are in the EU).
Is the GDPR being scrapped in UK?
No, organisations in the UK may still be subject to the GDPR – in fact many UK organisations now have two versions of it to comply with (the UK GDPR and the EU GDPR), depending on which people’s personal data they are processing.
Does the UK GDPR only apply to UK citizens?
No, the UK GDPR applies to the processing of data of any people who are in the UK, regardless of residence or nationality.
What are the differences between the UK GDPR
and EU GDPR?
The UK GDPR is currently largely the same as the EU GDPR, but there are some small differences in the ways the regulations are enforced and interpreted. For example, the UK GDPR has additional provisions for data protection in the public sector, and the regulator which enforces the UK GDPR is the UK Information Commissioner’s Office, not the EU supervisory authorities .
What is the UK-GDPR?
The UK-GDPR is the UK’s version of the EU’s General Data Protection Regulation (GDPR). It is a set of regulations that govern how the personal data of people in the UK is collected, stored, and used by organisations. It is designed to protect the privacy of UK individuals and ensure that their data is handled responsibly.
What is a privacy notice?
A privacy notice (sometimes confusingly referred to as a ‘privacy policy’) is simply a statement your organisation needs to provide to the people whose personal data you are processing. It describes the types of data which your organisation is gathering, the purposes for which the data is used by your organisation, the legal basis for doing so, and how long your organisation will keep it for, along with other information useful to the individual data subject. As well as being a legal requirement (it is how data subjects’ GDPR right to be informed is met), your organisation’s privacy notice (or notices – you may have several, for different processes) helps show that your processing is fair and transparent. The privacy notice is a very important compliance document, because it is often your first data protection-related contact with data subjects, and, therefore, you first opportunity to make a good impression!
Download our White Paper "Top 10 Tips for Ensuring GDPR Compliance" and discover the importance of getting privacy notices right.
What is a ROPA?
ROPA stands for ‘record of processing activities’ and it is just that – a document which records all the operations and functions of your organisation which involve the processing of personal data. For some large organisations undertaking complex processing the ROPA could cover hundreds of processes, but for many organisations it will include fewer than a couple of dozen.
URM has helped a number of organisations develop their ROPAs and once developed can help you identify not just the risky processing, but also the mitigating steps that can be taken to control those risks. Please follow the link for more details.
Why is a ROPA Important?
First of all, the ROPA (record of processing activities) is a statutory document so, for the vast majority of organisations, it is currently required by law (the GDPR). The UK’s privacy regulator, the Information Commissioner’s Office (ICO), can ask to see it at any time. Secondly, compiling a ROPA is a great place for your organisation to start your data protection compliance programme. As an overview of all your processes involving personal data – everything from HR to email marketing to customer relationship management – the ROPA can also act as your initial, high-level, GDPR risk identification tool. Such data risks can include: lack of a lawful basis for processing, absent or inadequate privacy notices, keeping data for longer than is necessary, or not having carried out a data protection impact assessment when the GDPR requires one.
Download our White Paper "Top 10 Tips for Ensuring GDPR Compliance" and discover the far reaching value of ROPAs
What is a data protection impact assessment (DPIA)?
A data protection impact assessment (DPIA) is a risk assessment tool – a bit like a health and safety risk assessment, but instead of risks of physical injury the DPIA focusses on personal data risks. These can be risks of breaching the seven principles, or specific articles of the GDPR or sections of the Data Protection Act 2018, or any of the other data protection legislation in the UK.
URM’s DP consultants are able to advise you on where you should be conducting DPIAs but, more importantly, how to conduct them and what the outputs should be, e.g., identifying and assessing risks to individuals taking into account both likelihood and severity of any risk, as well as identifying any additional measures to mitigate those risks. Click here to find out more about conducting DPIAs.
Why do you need to conduct a data protection
impact assessment (DPIA)?
Under the GDPR, if your organisations is a controller (i.e., you decide how personal data is used and for what) you are required to perform a DPIA if you are engaging in processing which is ‘high risk’. The Regulation gives three examples of processing where a DPIA is mandatory. The ICO also publishes a list of 10 other types of processing for which it requires controllers to carry out a DPIA, and some others where it recommends a ‘best practice’ DPIA be conducted. A DPIA not only helps your organisation to identify data risks in more detail than the ROPA, it also allows you to assess those risks and formulate countermeasures you can apply to reduce or remove them.
Find out how URM can help you with your DPIA.
What is data protection by design?
Under the GDPR, if your organisation is a controller, you must ensure that good DP practices (‘appropriate technical and organisational measures’)which implement the Regulation’s principles are followed on a day-to-day basis – as the default option – by all your staff who interact with personal data (often everyone!).
Following these principles is known as practising ‘data protection by design’.
How do you achieve GDPR compliance?
A very good first step is to contact URM! This is obviously a very broad question, but an effective way for your organisation to start on its GDPR compliance journey would be to:
- Map its dataflows
- Produce and keep up to date its record of processing activities (ROPA)
- Carry out any mandatory or best practice data protection impact assessment (DPIAs) and implement the outcomes
- Generate and maintain privacy notices
- Embed DP by design in all its existing processes and new projects involving personal data
- Provide regular GDPR update training to all staff.
Basically, GDPR compliance (a bit like health and safety compliance) needs to become business as usual in your organisation – so use every means (e.g., team meetings, onboarding and refresher training, new project checklists, employment contracts, six-monthly staff performance assessments etc) to make GDPR compliance concepts and language ‘part of the office furniture’.
What data protection policies are required and why?
The ‘why’ part first – DP policies are compulsory (for controllers at least). The GDPR requires controllers to implement “appropriate data protection policies”. It does not, however, say what types of policies. In URM’s opinion the minimum DP policies which an organisation, regardless of size, should develop are (in no order of priority!) a:
- General DP policy
- Personal data retention policy
- Information security policy
- Data subject rights policy
- Personal data breach management policy.
There is a practical, as well as legal, compliance reason for having DP policies, and that is they provide structure to your organisation’s privacy compliance programme. They do this by formally underpinning your compliance efforts (in such areas as embedding data protection by design, and demonstrating accountability), e.g., staff are contractually obliged to observe your organisation’s policies, including DP ones.
What do I need to do when sending personal data
outside of the UK?
The answer to this question involves the two versions of the GDPR (UK GDPR and EU GDPR) we have had in the UK since Brexit. Simply stated, if the data your organisation is sending out of the UK is subject to the UK GDPR, and that data is not going to a country which has an adequacy decision from the UK Government, then any new agreements facilitating such a transfer since 21 September 2022 have to include what are called standard contractual clauses (SCCs). The SCCs are produced by the Information Commissioner’s Office (ICO) must be used unless the transfer is protected by one of the other safeguards in the UK GDPR. The ICO’s SCCs are known as the International Data Transfer Agreement or IDTA. Accompanying the IDTA, there must also be a transfer risk assessment (TRA) of the transfer, carried out by the organisation which is initiating the transfer. The template IDTA and TRA are both available on the ICO’s website. If your organisation is sending out of the UK EU people’s data which is subject to the original EU GDPR, then (since 27 September 2021) any new agreement regulating such a transfer needs to include the EU’s 2021 SCCs (not the ICO ones). It also needs to be accompanied by a transfer impact assessment (or TIA) which is a risk assessment like the ICO’s TRA, but with different emphases. If your UK organisation wants to make an overseas transfer of personal information which contains data which is subject to both the UK GDPR and the EU GDPR (i.e., UK and EU people’s data in other words) then the ICO has said that the organisation can use the 2021 EU SCCs to make such a combined transfer, but the EU SCCs must be supplemented by a document issued by the ICO called the Addendum. The Addendum adapts the wording of the EU SCCs for UK GDPR purposes.
Are You Getting Cookies Compliance Wrong?
URM’s blog discusses the GDPR and PECR requirements on cookies, common noncompliant practices & how you can ensure your approach to cookies is compliant.
In this blog, we will outline a step-by-step procedure on how you can create a ROPA.
Under the UK GDPR, the majority of organisations processing personal data are required to create and maintain a ROPAs
URM’s blog explores the different requirements introduced by these new laws, and the likelihood of a subsequent UK/EU adequacy decision for each nation.