---

About Compliance

Compliance in this context refers to data protection like GDPR. Breaching these laws can have severe reputational and legal consequences. The Information Commissioner's Office (ICO) is responsible for enforcing compliance with such laws and deals fines to non complient organisations such as British Airways in 2020 when the ICO handed out the largest fine in its history of £20,000,000.

Your organisation will already be registered with the ICO and asks you to read these guidelines to gain a better understanding of the importance of data protection and prevent any damages.

The Law

The relevant laws are the United Kingdom General Data Protection Regulations 2016 (UK GDPR) and the Data Protection Act 2018 (DPA).

The UK GDPR is the UKs implementation of the European Unions GDPR.

The DPA complements UK GDPR by strengthening parts and provides the ICO with authority to fine organisations up to 17.5 million or 4% of the annual turnover (whichever is higher).

Data Protection Principles

Understanding your role in data protection compliance is crucial. This guide provides you with the necessary information and steps to make sure that your organisation remains compliant.

1. Data Protection Principles

The core data protection principles are as follows:

• Lawfulness, Fairness, and Transparency: Always processing personal data legally and telling individuals exactly how their data is used.
• Purpose Limitation: Only collecting data for a specific, legitimate purpose.
• Data Minimisation: Only collecting data that is necessary for a given purpose.
• Accuracy: Making sure that personal data is accurate and kept up to date.
• Storage Limitation: Not keeping personal data longer than needed.
• Integrity and Confidentiality: Processing data securely to prevent unauthorised access.

You do not need to concern yourself with these principles beyond what you just read unless you are in senior position or a position of authority in the organisation.

2. Employee Responsibilities

As an employee, you have specific responsibilities regarding data protection:

• Data Handling: Handle personal data with care. Make sure that it is stored securely whether in physical or digital form.
• Access Control: Limit access to personal data to only those who need it for their work. Do not share passwords or credentials.
• Data Sharing: Be cautious when sharing personal data with third parties. Ensure that they comply with data protection laws and you have the subjects permission.
• Training: Participate in training sessions.

3. Data Subject Rights

Understand the rights of individuals regarding their personal data:

• Right to Access: Subjects can request access to their personal data.
• Right to Rectification: Subjects can request corrections to inaccurate or incomplete data.
• Right to Erasure: Subjects can request the deletion of their personal data under certain conditions.
• Right to Restrict Processing: Subjects can request that their data processing be restricted in certain situations.
• Right to Data Portability: Subjects can request their data in a structured, commonly used format, to transfer to another service.
• Right to Object: Subjects can object to the processing of their personal data in certain circumstances.

Review your internal policies for more information.

4. Data Breach Protocol

In the event of a data breach, follow these steps:

• Report Immediately: Notify the designated Data Protection Officer (DPO) or your manager as soon as you become aware of a data breach.
• Document the Breach: Record details of the breach, including what happened, the data involved, and the potential impact.
• Notify the ICO: If necessary, the DPO will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach.

For more information, visit the Information Commissioner's Office (ICO) website.

---

Test your knowledge