The Data Protection Act 2018 (DPA 2018) supersedes The Data Protection Act 1998 (DPA 1998). It was enacted into UK law on the 23rd May 2018 – just two days before the enforcement of the GDPR on 25th May.
Which is relevant to me - the DPA 2018 or the GDPR?
To create an effective data protection framework, the two should be read side-by-side, with The DPA 2018 making unique provisions for how the GDPR’s rules are outside of the scope of EU law. For example, there are allowances made on matters of national security and a post-Brexit UK. There are also separate parts of the DPA 2018 that cover the ICO and their duties, functions and powers, plus other enforcement provisions.
The DPA 2018 has also adopted the seven principles of the GDPR and, as a business owner or decision maker, you need to understand what these seven principles mean as they will form the basis of your data protection framework. In this guide, we will review each principle and explain what they really mean to your organisation.
· Lawfulness, fairness and transparency
· Purpose limitation
· Data minimisation
· Storage limitation
· Integrity and confidentiality (security)
Principle (a) Lawful, fair and transparent processing
This principle emphasises transparency on how and why data is collected. You must have identified legal grounds under the GDPR (known as a “lawful basis” – of which there are six) for collecting and using personal data. You must ensure you are not in breach of other laws while processing. Personal data must be used in a way that is fair to the individuals – and you must be honest and open with individuals as to the use of their data.
Principle (b) Purpose limitation
This principle emphasises the need for organisations to be clear about what your purposes for processing are from the start. You must be clear about what your purposes for processing are from the start and these must be recorded as part of your documentation obligations (the accountability principle). You can no longer collect irrelevant information – it must serve a purpose. If a new purpose of processing arises, this data can only be used if it is compatible with the original, you gain consent, or if you have a clear basis in law.
Principle (c) Data minimisation
This principle emphasises the need for organisations to minimise the data they collect
All data collected must serve a purpose. This principle is designed to address today’s digital landscape where nearly every conceivable piece of data can be collected in some way. To comply with the GDPR, organisations must only store the minimum data required.
You must ensure the personal data you are processing is:
- Adequate – sufficient to properly fulfil your stated purpose
- Relevant – has a link / is relevant to that purpose
- Limited to what is necessary – you do not hold more than you need to for that purpose.
Principle (d) Accurate and up-to-date processing
This principle requires controllers to ensure the information they hold is accurate and up-to-date and remains so. It is only lawful to use if it remains accurate and relevant. You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading in any way. If you discover that the personal data is incorrect or misleading, you must take all reasonable steps to correct or erase it as soon as possible. This principle is designed to ensure stored data is accurate and useful to the organisation using it.
Principle (e) Storage limitation
This principle emphasises the need for organisations not to keep data longer than there is a need.
Article 5(1)(e) states personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Even if you collect and use it lawfully, you cannot keep it for longer than you actually need it.
The GDPR does not set specific time limits for different types of data – this is up to you, but the retention periods you specify for the different data types should be reflected in your data retention policy.
Principle (f) Integrity and confidentiality (security)
This principle protects the integrity, privacy and confidentiality of data by placing specific obligations on organisations to secure it. Organisations who collect and process data are to be solely responsible for the security of that data, and those security measures must be wholly proportionate to the data type. To be compliant, organisations must enforce a strict data security policy that protects data from all threats.
This principle makes the organisation responsible for complying with the GDPR and demonstrates that you are compliant – you must take responsibility for the processing activities you carry out. To ensure on-going compliance, every step of your GDPR strategy must be auditable through the use of policies and procedures. In the event of an investigation, you can prove that the proper actions have been taken, or, at the very least, you can show considerations were made. These obligations are on-going and must be reviewed at appropriate intervals.
Missing principles from the DPA 1998 - Rights and international transfers
Those of you who are familiar with the eight principles of the Data Protection Act 1998 will note that ‘rights’ and ‘international transfers’ are missing from the GDPR’s principles. With regards to rights, people now have the right to be informed, to access, to rectification, to erasure, to restrict processing, to data portability, to object, and rights in relation to automated decision making and profiling. To be compliant, organisations must take steps to ensure individuals can access these rights at any time.
With regards to international transfers, there are now specific rules for transfers to third countries or international organisations. Appropriate safeguards must be in place to protect data. Binding Corporate Rules (BCRs) and Standard Model Clauses are two mechanisms for achieving this, but there are others.
Does your organisation satisfy the DPA 2018?
Satisfying the DPA 2018 is not a tick-box exercise, or a quick process – in fact, it is a work-in-progress for many companies. You are required to create an auditable data protection policy - a culture of data governance and data protection at all levels – from the Board Room to the Post Room and this takes time. There is no template for achieving a “defensible level of compliance” as all organisations use and store different types of personal data for different purposes.
There are also the unique obligations posed on the “controller” and “processor” which will dictate the path of your preparations – which existing policies can be re-used and which require re-drafting in full to properly reflect the way in which personal data is used. Use our description of each principle above to get started reviewing your own.