Data Protection law controls how personal data is used by organisations and is about ensuring that personal data is used fairly and responsibly.
In the UK, the law is set out by the Data Protection Act 2018 (“DPA”) and the General Data Protection Regulations 2016 (“GDPR”). The Information Commissioners Office (“ICO”) regulates data protection in the UK.
Personal data means information about an identified or identifiable individual. This can include a customer, client, employee, member, partner and business contact. There is stronger legal protection in place for more sensitive information, for example: race, ethnic background, political opinions, religious belief, trade union membership, genetics, biometrics, health, sex life or orientations. There are also separate safeguards for criminal convictions.
The law applies to processing of personal data such as collecting, recording, structuring, storing, using, disclosing or deleting. It is therefore wide reaching in its application.
The law makes a distinction between controllers and processors and imposes different legal obligations depending in which capacity organisations are acting. A controller decides how and why to collect and use the data. A processor processes data on behalf of a controller and in accordance with their instruction.
The law applies to processing carried out by organisations operating in the UK. It is likely to cover most organisations, regardless of their size. It also applies to organisations operating outside the EU if they offer goods or services to individuals within the EU.
The law sets out seven key principles:
Organisations need to have policies, procedures and processes in place to ensure that they comply with these principles. Accountability is one of the key principles – it makes organisations responsible for complying with the law and requires them to demonstrate compliance.
Individuals have extensive rights to protect their personal data. Organisations need to be equipped to deal with individuals exercising those rights.