GDPR and DPA
An overview of General Data Protection Regulations and Data Protection Act and the key compliance obligations you must follow.
About Compliance
Compliance in this context refers to data protection like GDPR. Breaching these laws can have reputational and legal consequences. The Information Commissioner's Office (ICO) is responsible for enforcing compliance with such laws and issues fines to non-compliant organisations, such as British Airways in 2020, when the ICO handed out the largest fine in its history of £20,000,000 ↗.
Your organisation must regester with the ICO if you are prosessing personal information.
The Law
The relevant laws are the United Kingdom General Data Protection Regulations 2016 (UK GDPR) ↗ and the Data Protection Act 2018 (DPA) ↗.
The UK GDPR is the UK’s implementation of the European Union GDPR.
The DPA complements UK GDPR by strengthening certain parts and providing the ICO with the authority to fine organisations up to £17.5 million or 4% of the annual turnover (whichever is higher).
Data Protection Principles
Understanding your role in data protection compliance is crucial. This guide provides you with the necessary information and steps to ensure that your organisation remains compliant.
1. Core Data Protection Principles
- Lawfulness, Fairness, and Transparency: Data must be processed legally and transparently.
- Purpose Limitation: Data should only be collected for specific, explicit purposes.
- Data Minimisation: Only the necessary data should be collected.
- Accuracy: Personal data must be kept accurate and up to date.
- Storage Limitation: Data should not be kept longer than necessary.
- Integrity and Confidentiality: Personal data must be processed securely.
2. Employee Responsibilities
- Data Handling: Handle personal data with care and store it securely.
- Access Control: Limit access to personal data and do not share passwords or credentials.
- Data Sharing: Ensure third-party data sharing complies with regulations and obtain necessary permissions.
- Training: Participate in training sessions to stay updated on compliance requirements.
3. Data Subject Rights
- Right to Access: Individuals can request access to their data.
- Right to Rectification: Individuals can request corrections to their data.
- Right to Erasure: Individuals can request deletion of their data under certain conditions.
- Right to Restrict Processing: Individuals can request processing restrictions in certain cases.
- Right to Data Portability: Individuals can request their data in a structured format.
- Right to Object: Individuals can object to certain types of data processing.
4. Data Breach Protocol
- Report Immediately: Notify the Data Protection Officer (DPO) or manager as soon as a breach is detected.
- Document the Breach: Record all relevant details, including the scope and impact.
- Notify the ICO: If required, the ICO must be informed within 72 hours.
- Inform Affected Individuals: If necessary, notify individuals whose data has been compromised.