Data Protection Act
Ownership and exploitation of data is increasingly big business. The problem is that a breach of the various laws under the data protection act can lead to public embarrassment and a range of sanctions which include civil and criminal liability. The solution lies in understanding the scope of the data protection requirements attaching to the intended use.
The scope of the data protection requirements imposed on all businesses and organisations are about to change as we explain.
Exploiting data within the data protection laws
John Deane, partner in charge of data protection, comments that finding the solution to comply with the data protection laws is complicated. Complication arises because often there are several businesses involved in the data exploitation process. Questions of who is ultimately responsible for data protection can be blurred. The new data protection laws go some way to bridging gaps but John feels there will still be holes. Bedding down such a wholescale changes is not instant. There will be plenty of uncertainty for some time in all likelihood.
Data protection requirements – current law
To understand the new data protection laws coming into force in 2018, you need to know the current law. We set out a brief overview.
Ownership and exploitation of data
If there is any ownership and or exploitation of data then the data protection laws require a “data controller” is appointed. The data controller is usually an employee or director of the business collecting or owning the data. The data controller must be registered with the Information Commissioner’s Office (“ICO”). The data controller is responsible for compliance with all data protection laws. However, upon a breach of data protection the ICO can pursue the company as well as the appointed individual data controller.
Problems for data controllers
As the market becomes more sophisticated the question of who is the owner of data and who is responsible for data protection takes on more importance.
- Hacking is a particular problem.
- Another problem is the adequacy of consent obtained from the individuals.
- Questions arise where an artificial intelligence application has created data from several sources.
The ICO has published a guide. But, in many aspects the guide is lacking in coverage. We provide solutions for users of data businesses designed to minimise consequences following a breach of data protection laws.
Notification of data protection breaches
Upon a breach of the data protection laws the data controller will usually have to notify the ICO within a short period of time. Failure will generate a fine by the ICO. The fine may be imposed on the company and or its directors.
There are more onerous conditions governing the processing of sensitive personal data. Explicit consent from the individual is required before the data can be used or exploited. If there is a data protection breach involving sensitive personal data the repercussions are more serious.
Data regarded as sensitive personal data under the data protection laws
Sensitive personal data includes information relating to an individual’s:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic or biometric data
- physical or mental health or condition;
- sexual life; or
- criminal offences committed or alleged.
Standard expected from businesses in monitoring data protection
Businesses must at all times meet the ICO’s standards for information security. However, standards have to be taken from various sources as they are unhelpfully not all in one publication. This is a problem for many organisations unfamiliar with the data protection framework. We do offer support.
Right to know about ownership and exploitation of data
The data protection laws permit individuals access to information held about them. But there are exceptions. For example:
- The Proceeds of Crime Act 2002 prohibits the release of information in some cases.
- There is also the European Convention on Human Rights to consider. There are various issues arising such as Article 8 which preserves the right to privacy. There is a problem in that the Data Protection Act conflicts with the Human Rights Act on some aspects.
- There is a concept of proportionality and the relevance of information requested. There are a string of cases which have been determined by the courts setting down guidance on what is proportionate. The question is fact specific and depends upon the circumstances.
Data protection – new law in force from 2018
The European Union’s new General Data Protection Regulation (GDPR) applies from 25 May 2018. The GDPR will significantly impact an organisation’s approach to data protection compliance.
10 changes to the data protection laws
1. GDPR applies worldwide
Data protection is extended beyond the remit of the current Data Protection Act. Under the GDPR, data protection laws will apply to all organisations that control and process personal and sensitive personal data of any EU citizen. It will apply to European and non-European businesses alike. This means that the company does not need to have an office, subsidiary or equipment in the EU for the full data protection force of GDPR to apply to them.
Once the UK has left the EU, the GDPR will still apply to British companies who process information relating to EU citizens. The position is less clear for those companies who only process information relating to UK citizens. Possible scenarios include:
- If the UK remains in the ‘Single Market’, the GDPR is likely to apply fully in the UK; whereas
- If the UK completely leaves the EU all EU rules might be replaced with national ones.
It’s to early to have a definitive answer but the ICO guidance is clear. Organisations should continue to prepare for and comply with the GDPR now, rather than lose valuable compliance preparation time. One thing is certain, unless the UK leaves the EU before 25 May 2018, the GDPR will apply.
2. The definition of personal data has been widened
The GDPR has widened the definition of personal data. New kinds of personal data have been brought under the data protection regulations.
Personal data is any data that can be used to identify an individual. Personal information will include genetic, mental, cultural, economic and social information.
3. New role of Data Protection Officer
An organisation will have to appoint a data protection officer (DPO) to oversee data protection if its “core activities” include:
- Regular and systematic monitoring of data subjects on a “large scale”; or
- Processing “special categories of data” on a large scale.
EU companies employing 250 or more employees and public authorities and bodies will also be required to employ a DPO.
There is no guidance as yet on the meaning of “core activities” and “large scale”. However it is likely that these requirements will capture companies who deal in “big data”.
“Special categories of data” will be sensitive personal data.
Relationship between the data controller, data processor and the DPO
The data controller can be a natural or legal person. Frequently it is the company on whose behalf personal data is processed, rather than an individual employee of the company. The data controller determines the purposes for which and the manner in which personal data is processed. This means that the data controller exercises control over the ‘why’ and the ‘how’ of a data processing activity.
The data processor is any legal or natural person who processes the data on behalf of the data controller. The data processor is not an employee of the data controller. Often the data processor’s activities are limited to more technical aspects such as data storage, retrieval or erasure. These will include for example cloud storage providers.
Data protection officer (DPO)
The role of the DPO is to ensure that the data controller is compliant with all applicable data protection laws and regulations. The DPO will need to manage notifications or registrations with the relavent data protection authority in respect of the data processing activities of the data controller. In the UK the relevant authority is currently the Information Commissioner’s Office (ICO).
4. Stricter rules for obtaining valid consent
A condition to the ownership and exploitation of data under the data protection laws will be the core the principle of accountability. Not only do businesses have to comply with the provision of the GDPR, they also have to demonstrate compliance with data protection. The rules for obtaining consent have become stricter.
When obtaining consent to the use of data organisations need to:
- Use simple, easy to understand language.
- Be clear about how they will use the information;
- Need to take a positive step to obtain consent. Silence or the use of pre-ticked boxes is not acceptable.
- Prove clear and affirmative consent to process the data.
- Explain what personal data they are collecting, how it will be processes and used.
5. Privacy Impact Assessments (PIAs)
The GDPR requires data controllers to conduct PIAs, where privacy breach risks are high. This is to minimise risks for individuals.
The data protection laws will require a business to conduct a PIA before they start a project. They will also have to work with the data protection officer to ensure they are compliant as the project progresses.
6. Data breach notification
Organisations must notify the ICO of a data breach within 72 hours of discovering it. This provision is aimed at ensuring organisations constantly monitor for breaches of personal data. Businesses will need technology and procedures to comply with the extended data protection laws.
7. Right to be forgotten
The rights of information that exist under the Data Protection Act are extended. Organisations are now prevented from holding data for longer than absolutely necessary. They are also not allowed to change the use of the data from the purpose for which it was originally collected. Most importantly, they must delete any data at the request of the data subject.
8. Liability is expanding beyond data controllers
The GDPR extends liability to all organisations that touch personal data. In the past, only the organisation that controlled the data was considered responsible for data processing activities.
9. Privacy by Design
The GDPR requires that privacy is included in systems and processes by design.
This will have significant impact on IT and software companies. At present, full erasure of information is not something seen in software and not something required under existing data protection laws.
10. One-stop shop
The GDPR allows any European data protection authority to take action against organisations, regardless of where in the world the company is based. As a business this may be beneficial if you only have to deal with one supervisory authority rather than a different one for each EU state.
Stiffer consequences for non-compliance of data protection laws
The consequences for owners and exploiters of data upon non-compliance are more severe. The new position includes:
Up to 2% of annual worldwide turnover of the preceding financial year €10 million whichever is greater for violations relating to:
- Internal record keeping;
- Data processor contracts;
- Data security and breach notification;
- Data protection officers; and
- Data protection by design and default.
Up to 4% of a company’s annual worldwide turnover or €20 million whichever is greater for violations relating to breaches of:
- Data protection principles;
- Conditions for consent;
- Data subjects rights; and
- Internal data transfers.
Deletion of data
In addition to the new steeper fines for a data protection breach comes a new power. Owners and exploiters of data can be ordered to delete all personal data held. This will have significant impact on an organisation if its core business activity includes the processing of data.
John Deane runs the commercial team offering specialist knowledge on how to operate an effective data protection policy. John works for a variety of organisations involved in “big data” helping them to minimise risk.