Data protection

Data Protection Act 2018

• The General Data Protection Regulation is a set of EU-wide data protection rules that
have been brought into UK law as the Data Protection Act 2018

• The GDPR strengthens the data rights of EU residents and harmonises data protection law across all
member states, making it identical

• In essence, it seeks to bring more transparency to people about what data organisations collect, and
what those organisations use it for, as well as enabling people to prevent unnecessary data collection

• Under GDPR rules it is up to you to make a positive choice to agree to further direct marketing
communications by email, such as ticking a box or agreeing over the phone. Withdrawing your
consent should be as easy as giving it e.g. by companies providing an unsubscribe link at the bottom
of their marketing emails
What ‘data’ should be
protected?
 Why was the GDPR drafted?

• While many of the GDPR's rules are similar to those defined in the EU's Data
Protection Directive 1995 (which was enshrined in UK law as the Data Protection Act
1998), the older directive was created before the age of social media, and before the
internet had properly transformed the way we work and live

• Almost all of us have enjoyed the use of 'free' services from the likes of Google,
Facebook and Twitter in exchange for a wide range of personal information – from
names and email addresses, to political leanings and sexual orientations. Confusing
terms and conditions and passive opt-out tick boxes made it harder for people to
understand what exactly they were agreeing to give these tech giants

• The potential consequences of this widely-defined remit for personal data was
demonstrated by Facebook's Cambridge Analytica scandal, where a third party app
saw millions of users' profile data scraped, allegedly to influence the outcome of the
2016 US election
 Data protection act
terminology
• Data Subject – person whose personal data is being processed
• Personal Data – Information relating to a living individual who can be
identified from that information or from a combination of that information in the
possession of the data controller
• Sensitive personal data – can only be processed with the individual’s
explicit consent (not sufficient enough to state individual has never specifically
withheld their consent)
 • What about CCTV?

• Online/data sharing apps?

• Wi-Fi analytics?
 Sensitive data
• Racial origin
• Religious beliefs
• Political persuasions
• Physical health
• Mental health
• Criminal records
• Sexual health
 Processing
• Has a very broad meaning, covers all aspects of owning data
including:

- obtaining data in the first place

- recoding of the data
- organisation or alteration of the data
- disclosure of the data by whatever means
- erasure of destruction of the data
• Data controller – is the legal person who determines the
purposes for which the data is processed and the way it is
done
• Normally – organisation, employer
• Data controller has prime responsibility for ensuring that the
requirements of the Act are carried out
• Data processor – the person who processes personal data on
behalf of the data controller
 Six legitimate reason to process your data
At least one of the following lawful bases set out in Article 6 of GDPR must apply whenever an
organisation processes your personal data:

•Consent - clear consent to process personal data for a specific purpose

•Contract - the processing is necessary for the completion of a contract between the
organisation and the individual

•Legal obligation - the processing is necessary to comply with the law

•Vital interests - the processing is necessary to protect someone’s life

•Public task - the processing is necessary to perform a task in the public interest or an official
function with a clear basis in law

•Legitimate interests - the processing is necessary for the organisation’s legitimate interests or
those of a third party unless there is a good reason to protect the individual’s data
The European Court of Justice has set out a three-
part test to assess whether data is being processed
in line with legitimate interests or not:

1. Is there a legitimate interest in the processing?

2. Is the processing necessary for that purpose?

3. Is the legitimate interest overridden by the

individual’s interests, rights or freedoms?
Huge fines for companies if they break the
rules
• In the most exceptionally severe cases where companies have breached the new
rules, the ICO could issues fines up to €20m or 4% of annual global revenue –
whichever is higher

• But GDPR is not about issuing big fines, and it's unlikely ICO will stray far from the
size of fines it's issued in the past

• Previously, the highest fine that could be levied was £500,000

• You can make a claim for a misuse of your data and get compensation for both
material and non-material damage including, but not limited to, distress and
reputational damage
• Anybody can submit a subject access request (SAR) with data controllers,
and if deemed reasonable (certain exemptions apply) the organisation will have
a month to fulfill the request in full. An SAR provision already in UK law prior to
GDPR, but the new regulation reduced the legal time limit from 40 to 30 days

• GDPR dictates that controllers and processors both must establish clearly how
information is collected, what purposes data is used it for, and the ways in
which this data is processed. Clear and plain language must also be used
consistently across any messaging, restricting the liberty many firms took in
sending reams of dense and complex information to consumers in order to
obfuscate objectionable data practices

• By submitting a SAR users exercise their right to know what data a company
holds on them, and how their data is processed, among a number of other
facts

• Users and customers can also ask for data, if it is wrong or incomplete, to be
corrected and brought up-to-date any time.
The ‘right to be forgotten’?
• GDPR makes it clear that people can have their data deleted at
any time if it's not relevant anymore - i.e. the company storing it
no longer needs it for the purpose they collected it for

• If the data was collected under the consent model, a citizen can
withdraw this consent whenever they like. They might do so
because they object to how an organisation is processing their
information, or simply don't want it collected anymore

• The controller is responsible for telling other organisations (for

instance, Google) to delete any links to copies of that data, as
well as the copies themselves.
 Data Protection Officer
• Any public body carrying out data processing needs to employ a data protection
officer, as do companies whose core activities involve data processing that
requires, they regularly monitor individuals "on a large scale", according to the
GDPR legislation

• The data protection officer's job is to inform and advise the organisation about
meeting GDPR requirements, and monitoring compliance

• They'll also act as the data protection authority's primary point of contact, and will
be expected to cooperate with the authority
 Morrison's Case Study?

https://www.personneltoday.com/hr/morrisons-data-breach-liability-could-the-supermark
et-have-done-more/