Data Protection Act 2018
What is the Data Protection Act? The Data Protection Act 2018 is the data privacy law that applies in the United Kingdom.
Data privacy regulations have been passed by many legislative bodies around the world. The Data Protection Act 2018 is the equivalent of these for the United Kingdom. It applies to all businesses or organizations collecting nonpublic personal information (NPI) from U.K. residents.
What Gave Rise to the Data Protection Act
Before 2018, the law governing data protection in the U.K. was the Data Protection Act of 1998. In the years that followed, there were a lot of technological advancements in the digital space that heavily impacted how organizations collected and processed personal data. This led to high-profile breaches and others not so serious of personally identifiable information (PII), which put businesses and consumers at risk.
Countries in Europe, such as the U.K. and France, began conversations on updating their data privacy regimes through the passage of individual data protection compliance regulations. In the meantime, the European Union passed the General Data Protection Regulation (GDPR). Fast forward to 2018, the U.K. voted to leave the EU through the famous Brexit Process. But the U.K. needed a law to ensure GDPR protocols continue to be extended to U.K. residents.
The result was the passage of the Data Protection Act in 2018. In addition to the GDPR, the Data Protection Act is similar in scope to the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada and the California Consumer Privacy Act (CCPA).
Personal Data as Defined in the Act
The Data Protection Act defines personal data as any information that can be used to identify a living person, whether fully or in part.
Special Category Data
The Act defines special category data as personal data that is sensitive, which then requires an even higher level of privacy and protection. This includes data such as:
- Biometric
- Race
- Sexual orientation
- Religious beliefs
- Political beliefs
- Physical and mental health conditions
- Sexual life and sexual orientation
Confidential Data
Confidential data is any data shared between two parties in confidence. It may be of a personal nature or not. However, provided it’s not in the public domain, then it’s protected by the Data Protection Act.
Differences Between the Data Protection Act and GDPR
The Data Protection Act extends the same protections under the GDPR to EU residents. It largely inherits all the tenets of the GDPR with just a few differences, mainly to clarify country-specific issues. One key difference is that the Data Protection Act provides unlimited fines for companies and individuals who access anonymized data and try to identify it.
Another difference is that the Data Protection Act goes further and provides certain exceptions when personal data can be processed without user consent. These are mainly on matters to do with national security, immigration, and intelligence services.
Another notable difference is the age of valid consent to personal data processing. In the EU GDPR, the age is 16 whereas it is 13 in the Data Protection Act.
How to Comply With the Data Protection Act
Perhaps the most critical question for businesses collecting data from UK residents is how to comply with all the provisions of the Data Protection Act.
Just as the case with other privacy laws across the world, compliance is not easy, especially when an organization’s cybersecurity risk management practices are not robust. Following are some of the core requirements of the Data Protection Act:
Post a Privacy Policy
To ensure regulatory compliance, a privacy policy that is publicly shared with a business’s users is mandatory. It should be in plain language in describing data collection and processing activities.
State Legal Basis for Processing PII
According to the Data Protection Act, there are several legal bases for processing PII data. These are the same as in the GDPR:
- Consumer consent (most common reason businesses process personal data)
- Fulfillment of a contract
- Legal obligation
- Public interest
- Legitimate interest
- Vital interest
The business reason for collecting and processing PII must fall within one of these bases to comply with the law.
Consent to Collect and Process
After establishing a legal basis, the next step is to seek consent from the user to collect and process their data. For consent to be legal in the U.K., it must be:
- Freely given
- Explicit
- Unambiguous
- Informed
- Recorded
To address the above, organizations must disclose the rights we previously discussed to users and uphold them.
Appoint a Data Protection Officer
The Data Protection Act requires that you appoint a Data Protection Officer if you are a public body or your business requires large-scale systemic collection and processing of personal data.
The name and contact details of the Data Protection Officer must be displayed prominently in your privacy policy.
Establish Data Breach Protocols
If a data breach occurs that leaks PII belonging to U.K. residents, the Data Protection Act requires organizations to inform the Information Commissioner’s Office in the U.K. within 72 hours. Individuals affected also need to be notified of the breach and steps taken to protect their data.
Institute Data Collection and Retention
To ensure compliance with the Data Protection Act, it is imperative for organizations to limit the collection and retention of data for only the most necessary reasons. Keeping around unused personal data or processing it beyond what was initially consented to is a violation of the law, which might result in a fine.
Create Privacy by Design
Privacy by design is a significant component of all privacy laws. This is a cybersecurity policy, which means all processes, systems, infrastructure, and people dealing with PII should have a privacy-first mindset.
Seven Principles of the Data Protection Act
For organizations handling PII for residents in the U.K., understanding the seven principles of the Data Protection Act is the key to compliance with this law. These principles should be an organization’s guiding values and foundation when collecting and processing all personal data.
When going through these principles, readers will find that they cut across multiple data protection laws and across jurisdictions. To a large extent, these principles apply to GDPR, PIPEDA, CCPA, Health Insurance Portability and Accountability Act (HIPAA), Debt Collection Improvement Act (DCIA), and Japan’s Act on Protection of Personal Information (APPI).
Lawfulness, Fairness, and Transparency
This principle dictates that personal data usage must be lawful and fair in its use, and users must understand what they are signing up for. The Data Protection Act requires that organizations use clear, plain, and accurate language in their data handling policies.
Purpose Limitation
This principle states that PII must be used only for the specific purpose it was intended for and for which the user was duly notified and understood. The principle is meant to reduce instances where personal data collected for one purpose is irregularly processed in other ways outside of the original purpose.
Data Minimization
This principle limits an organization’s ability to collect data on a scale that exceeds their lawful use. It states that organizations must collect data relevant and limited to their intended purpose.
Accuracy
This is a well-known principle across most privacy laws. It simply means that all personal data must be accurate, and organizations have the responsibility to update inaccurate data upon request by a user.
Storage Limitation
Unless justifiable, organizations shouldn’t store personal data indefinitely.
Integrity and Confidentiality
Perhaps this is the principle around which most organizations struggle when personal data breaches occur. The principle requires that appropriate measures are taken to secure personal data through the use of physical and digital controls.
Accountability
The last principle requires organizations to keep proper records to show compliance with the Data Protection Act.
Individual Rights of Users Under the Data Protection Act
In addition to the seven principles, the Data Protection Act outlines the individual rights of the citizens that organizations must uphold. The principles and the respective rights form the bulk of the Data Protection Act. Organizations must adhere to the following to comply with the Data Protection Act:
Right to Be Informed
Users have a right to be notified when their personal data is collected, processed, used, and shared. Organizations are responsible for communicating the intended purpose of holding and processing this data and seeking informed consent.
Right of Access
Users have the right to request access to all their data held by an organization.
Right of Rectification
This corresponds to the principle of accuracy we discussed in the previous section. Users or data subjects, as defined in the Data Protection Act, have the right to request rectification of their personal data.
Right of Erasure
This is the infamous right to be forgotten that many big companies have tried fighting in the courts. It gives data subjects the right to request the deletion of their personal data. This applies when the individual feels there is no reason for an organization to continue holding and processing their data.
The Right to Restrict Processing
Data subjects have the right to block or suppress the processing of their personal data due to inaccurate data or pending a legal objection.
Right to Data Portability
Users have the right to ensure their personal data is accessible in a format that allows the reuse of this data without the need to resubmit the data repeatedly.
Right to Object
Under certain circumstances, individuals have a right to object to the processing of their personal data. Organizations have an obligation to inform data subjects of this right.
Right to Challenge Automated Decision-making and Profiling
Individuals have the right to opt out of automated decision-making when it comes to their personal data and any profiling done through an automated process. They have the right to seek a review by a human.
Penalties for Noncompliance
The Data Protection Act sets out the penalties for noncompliance as a maximum fine of £17.5 million or 4% of worldwide revenues in the preceding financial year for the most severe noncompliance cases. In case of a failure to notify the U.K. Information Commissioner’s Office of a breach and other infringements, the maximum fine is £8.7 million or 2% of a company’s global revenue. Other penalties, as defined in the Data Protection Act, include a temporary or permanent ban on data collection and processing.
Sensitive Content Communications Compliance
Organizations need a comprehensive privacy and compliance approach to sensitive content communications. Regulatory compliance with the Data Protection Act mandates that organizations track, control, and secure private PII communications—both internal and external—and be able to demonstrate an audit trail based on how it is secured in transit and at rest, who accesses it, with whom it is shared, and what devices were used.
As organizations often employ multiple communication channels that include email, file sharing, file transfer, managed file transfer, web forms, and application programming interfaces (APIs), a unified approach is required. But most organizations utilize over four tools for managing sensitive content communications—which creates complexity and greater risk.
The Kiteworks platform enables organizations to create Private Content Networks used for governance, compliance, and protection of sensitive content communications. Schedule a custom demo of the Kiteworks platform to learn how it unifies, tracks, controls, and secures PII and helps organizations comply with the Data Protection Act and other regulations.