GDPR – AN OVERVIEW OF THE UK DATA PROTECTION ACT 2018 AND WHAT IT MEANS
FOR UK BUSINESSES
Data Protection legislation exists to protect data, primarily personal data (that is data which can identify an individual person) and how it is processed. Processing includes how personal data is collected, used and stored.
Until 2018, data protection regulation had been relatively unchanged for 20 years, despite the fact that during this period we’ve experienced massive changes in the way personal data (that is data which can identify an individual person) has been used. Just think about how you use technology in your personal and work life now, compared with the late 1990s.
2018 has seen the implementation of EU Regulation 016/679, the General Data Protection Regulation (GDPR) and, in the UK, the Data Protection Act 2018 (DPA 18).
For the most part (there are some exceptions) the DPA applies to the whole of the UK.
2 WHY DO WE NEED THE DPA AND GDPR?
The GDPR applies to all EU member states and sets the standards for how personal data relating to EU residents must be processed and protected. However, like most EU legislation, the GDPR accepts that whilst EU member states must comply with GDPR, they also need to ensure that those GDPR standards work at a national level, so the DPA 18 starts by dealing with this for the UK.
The DPA also deals with processing data which falls outside EU law, such as
- National security
- For criminal ‘law enforcement purposes’ and intelligence
- How our supervisory body, the ICO (Information Commissioners Office) functions, and what duties and powers it has.
Finally, the DPA 18 is also aimed at helping the UK prepare for what will happen when the UK is no longer an EU member state. When the UK leaves the EU, the GDPR will be incorporated into the UK’s domestic law under the European Union (Withdrawal) Bill.
So, for the main part, the DPA 18 reinforces what GDPR says and fills in the gaps that GDPR doesn’t deal with such as national security and law enforcement.
Subject to minor exceptions, the Act extends and applies to the whole of the UK.
The DPA 18 is divided into 7 parts and in this session we’re going to look at some of the main areas of the DPA 18 in so far as it affects most businesses in the UK.
3 WHAT DOES THE DPA 18 INCLUDE?
(1) Children and the age of Consent
If your business relies on a person’s consent to process their data, you will need to have safeguards in place when it comes to dealing with children. However, what age restrictions do you need to be aware of?
GDPR allows member states to decide on the minimum age which a child can consent to the processing of their data, provided it is between the ages of 13 and 16. The DPA 18 means that anyone aged 13 or older can properly consent to their personal data being processed by providers of information society services. Information society services are services requested by the person receiving them which are normally provided at a distance electronically and for remuneration. Examples include online shops, live or on-demand streaming services, and companies who provide access to communication networks.
(2) Processing the special categories of personal data
Special categories of personal data are what was previously referred to as sensitive data such as health information or information about race, sexuality, or political opinions and religious beliefs.
The GDPR makes it clear that these special categories of personal data can be processed only
- If certain exceptions apply
- There are safeguards in place
However, most businesses will need to process at least some special categories of data. For example, if you have employees you are likely to process at least the following special categories of data for employment purposes:
- Personal data when dealing with employees and time off
- Trade union memberships
- Race/ethnicity as part of your equality assurances
Section 10 and Schedule 1 of DPA 18 clarify
- When special categories of personal data and criminal convictions data can be processed
- What conditions must be met and what safeguards need to be in place for the exceptions to apply
The DPA 18 (Schedule 1) means that special categories of personal data can be processed if it’s necessary to perform or exercise obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment which is good news for employers. However, to do this you need to have an additional safeguard in place in the form of what is referred to as an “appropriate policy document”. So what do you need to do?
An appropriate policy must contain specified information which includes
- How you will comply with the data protection principles laid out in Article 5 of the GDPR
- Dealing with the retention and erasure of personal data processed under the relevant condition
- Ensuring that your processing is lawful and recorded
If you don’t have that additional safeguard of the appropriate policy document then you should not be processing special categories of data in respect of your employees which, in effect, could mean that you are failing to comply with the law elsewhere. For example, you should not be processing Statutory Sick Pay because, by its very nature, that means dealing with an employee’s health data.
(3) Automated processing (including profiling)
Some businesses rely on making automatic decisions and profiling:
(a) Automatic decisions are decisions which have no human involvement and can include, for example, checking credit scores when granting loan applications.
(b) Profiling means
- Automated processing (using technology/AI)
- of personal data
- with the aim of evaluating personal aspects relating to a person or group of people (including analysis or prediction)
This broad definition means that even classifying individuals based on common characteristics like sex or age could be considered profiling. Profiling has 3 stages
- Data collection
- Automated analysis used to identify correlations
- Applying the correlation to an individual to identify characteristics of present or future behaviour
A common use of profiling is, of course, online targeted marketing.
However, Article 22 of GDPR means that that data subjects can’t be subject to a decision based solely on automated processing or profiling which produces legal effects concerning them or affects them in a similar way unless
- It is allowed by law
- There are suitable safeguards in place relating to that data subjects rights, freedoms and legitimate interests.
What is a decision that produces legal effects or affects an individual in a similar way?
It’s one which “must have the potential to significantly influence the circumstances, behaviour or choices of the individuals concerned” so, for example, being refused credit. You may be thinking therefore that profiling in terms of targeted marketing couldn’t apply. In fact, the guidelines tell us that online advertising could be included, depending on
- The intrusiveness of the profiling
- The expectations and wishes of the individuals
- The way the advert is delivered, and
- The vulnerabilities of the individuals concerned.
An example provided in the guidelines that would fall within this is an advert for risky financial products targeted at a vulnerable individual.
s14 of the DPA 18 lays down the safeguards which you must have in place if you are using automatic decision-making (including profiling) which could have legal effects or affect an individual in a similar way. These safeguards include your obligations to:
- Notify the data subject that a decision has been taken based solely on automated processing
- Allow the data subject 21 days from receipt of that notification to ask that either
- the decision is reconsidered or
- a new decision is taken that is not based solely on automated processing
You can’t try to get around automated decision making by involving a human in the process as a token gesture. Human involvement must be meaningful, which means that the person has the authority to change the decision after considering all the information available to them.
(4) Enforcement and Criminal Offences
GDPR lays down the standards and we know that you could be fined up to 4% of your turnover for non-compliance but it doesn’t really detail the enforcement process because that is left up to member states. The DPA 18 lays down what the ICO can do to enforce GDPR when its standards are not met.
Some enforcement is taken, if somewhat enhanced by previous legislation, such as issuing:
- Information Notices to obtain information
- Assessment Notices to assess whether data controller or processor are complying with the law
- Enforcement Notices to require you to do something or stop doing something which is specified in the notice
- Penalty Notices to impose sanctions if you fail to comply with a Notice
The previous legislation contained criminal offences which could be committed such as, for example, providing false information when responding to ICO notices.
However, the DPA 18 creates new criminal offences, some of which could be committed by:
- Business owners
- Company directors
- Destroying, disposing of, concealing or falsifying data (whether it’s a “document, equipment or other material”) with the intention of preventing the ICO from seeing it
- Unlawfully obtaining or disclosing personal data without the consent of the data controller
- Handling personal data without the consent of the data controller
- Procuring or disclosing personal data without the consent of the data controller
- Selling or offering to sell (which includes advertising for sale) personal data that has been unlawfully obtained,
- Altering, defacing, blocking, erasing, destroying or concealing information intending to preventing disclosure of some or all of that information which someone asking to access it would have been entitled to receive.
- Re-identification of de-identified personal data. This means, for example, taking data that has been anonymised so that you can’t identify an individual from it and then take steps which means that individuals can again be identified
There are some defences to these offences which generally include that they were
- Necessary for the purposes of preventing or detecting crime
- Authorised by law
- Justified as being in the public interest
The fact remains that they can be committed knowingly or recklessly. This means that you commit an offence if either
- You knew what you were doing was wrong
- You should otherwise have taken more care
Let’s look at an example of how an offence could be committed in your business.
You are a data controller of your client/customer data. Mark, an office junior, is asked by Tom, a senior manager, to “shred some data because I don’t want Mr Montague seeing it as part of his Subject Access Request response”. Mark does as he is asked.
Under s173 of DPA 2018, Mark has potentially committed an offence as someone employed by the data controller. s173 does give Mark some defences regarding criminal proceedings but if Mark was prosecuted, irrespective of whether he was found guilty, Mark could potentially have a claim against you, as an employer. What training have you given Mark about his own personal responsibility regarding data protection?
Data protection will impact every UK business. It’s your duty to know your obligations and responsibilities and comply with them, and that includes making sure that all your staff receive adequate training. We can help. Call us on 01244 300413 or email [email protected] for a FREE No Obligation Chat today!