Hi there and welcome back to Data Privacy Simplified 101!
This will be the second of many instalments in our blog post series where we will cover complex areas of Data protection, Data privacy and everything in between. My goal is to hopefully turn this horribly complex mumbo jumbo of acronyms and polices into something a bit more… normal (for a lack of better term) for the average Joe.
So, I had a little think and took some time to see the comments to find the next best suitable topic. I had to ask myself what people want to know and how can I help them understand it better. After careful consideration I realised there is only one answer. Something so monolithic that impacted society and left business owners quivering in their boots while shredding every ounce of data they previously held. I am obviously referring to none other than the ever so feared UK GDPR!!! *Queue dramatic music*
Good your still here (phew I thought most people would be gone by now). Look GDPR is not as scary as people think it is and I really hope I can clear some things up today. So where do we start? Well... from the beginning. The Data protection directive came into play in 1995 which was when the internet was still in its infancy, and back when no one really knew how much the internet and digital technology would affect and influence society and our economy. Now because it was a directive and not a regulation this meant that each country member was able to set up their own data protection law. This becomes a problem when trying to share data across borders especially when it became more common to do so. There was no way to keep track of each country's individual laws and trying to do so was highly ineffective and costly to do on top of that. There was also not any real way to keep data safe outside of the EU. So after initially being introduced in 2016 after a 2-year grace period it came into force in May of 2018 alongside a new Data protection act in the UK.
However, the story does not end there... On the 31st of January 2020, the UK enacted the Withdrawal Agreement which, among other things, signaled the UK's exit from the EU and entry into a transition period. During the transition period, all EU laws, including the GDPR, continued to apply. However, to avoid any problems at the end of the transition period, the Agreement also introduced the UK GDPR into law. The UK GDPR is a combination of the EU GDPR and the Data Protection Act with a few tweaks to make it relevant to the UK. During the transition period, both the EU and UK GDPR were in effect in the UK until the end of the transition when just the UK GDPR remained. Today, both GDPRs are in effect in their own areas; the EU GDPR across the European Union and the European Economic Area and the UK GDPR in the UK.
So, who does UK GDPR apply to? Well simply it applies to all Data controllers (DC) and Data processors (DP) Yes, the acronyms start now (sorry). Whether you are a controller or processor, the UK GDPR places specific legal obligations on you, for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach. However, as a controller you are not of the hook quite yet. The UK GDPR places further obligations on you to ensure your contracts with processors comply with the UK GDPR.
So, the first step of recognizing whether UK GDPR applies to you is to understand if you are working with personal data. If the answer is yes, then we can start to have a look at what UK GDPR is and how it revolves around your workspace. The UK GDPR sets out seven key principles:
Lawfulness, fairness and transparency
Integrity and confidentiality (security)
These principles should lie at the heart of your approach to processing personal data. Failure to comply with these principles could leave you with a big fine and trust me when I say big I mean BIG. Now don’t be worried about these 7 principles. I will be covering these principles in future lessons in detail. The same applies for the next 3 topics I cover also. My main aim today is to introduce you to these laws and principles just to know they exist. To process personal data, you must have a valid lawful basis to do so. The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever you process personal data:
Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering a contract.
Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
*Important side note* There are 10 more lawful bases for processing special category data but as to not overwhelm anyone I will mention those at a later date
The great thing about GDPR which I believe most people don’t understand is that it gives power to people about how their personal data is handled. The Data Protection Act outlines very specific rights for individuals. It also makes sure these rights are followed. Making sure there is transparency which means that individuals have the right to know who holds information about them, why they have it and how it will be used. It also makes sure that everyone is treated equally and fairly. As an individual, you and everyone else has a set of rights when it comes to personal information. What does it mean for you? In your day to day work you need to make sure you processes can comply with information rights of individuals. In total there are 8 informational rights these are:
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights in relation to automated decision making and profiling
As mentioned before over the coming weeks I'll be releasing new lessons and posts based on these topics covered today. As I'm sure you have figured by now GDPR and Data protection is a lengthy subject with lots of jargon and as such takes time to explain properly. I hope that I have given some insight today at least on what GDPR is its history and what's included within it.
Congratulations on making it through another one of my lessons, you’ve earned yourself a well-deserved pat on the back. Stay tuned in the coming weeks as I plan to keep posting new lessons on important topic and questions. My aim is to be as engaging as possible to help people get a better understanding of this crazy data filled world, and maybe make it a little fun along the way.