Data privacy and protection is a critical topic for all organisations and in the UK, the Data Protection Act carries the requirements of the EU General Data Protection Requirements into law. These will not change as a result of BREXIT, so it is crucial that ISO 27001 Managers meet the requirements. However, the legal requirements are extensive and for the un-initiated, can be confusing and easily confused. Take a look at 10 of the key things you should understand.
The GDPR defines a controller as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Controllers have the responsibility to make decisions about processing activities. They exercise overall control of the processing of personal data and are ultimately in charge of and responsible for the processing.
The GDPR defines processors as the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. In doing so, they serve the controller’s interests rather than their own. Although a processor may make its own day-to-day operational decisions, the GDPR states it should only process personal data in line with a controller’s instructions, unless it is legally required to do otherwise by law.
The main regulator of the GDPR inside the UK is the Information Commissioner’s Office (ICO), the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Information Commissioner's Office is a non-departmental public body which reports directly to the United Kingdom Parliament. As such, the ICO has the independent authority to impose penalties on businesses in breach of both the GDPR and DPA 2018 in the UK and can work alongside EU member state authorities on a variety of cases.
A subset of personal data, personally identifiable data (PII) is defined as any data that can be used to identify a specific individual. Social Security numbers, mailing or email address, and phone numbers have most commonly been considered PII, but advancements in technology and increased ease of access to information has expanded the scope of PII considerably. It can include an IP address, login IDs, social media posts, or digital images. Geolocation, biometric, and behavioural data can also be classified as PII.
Personal data is any information that relates to an identified or identifiable individual. Personal data only includes information relating to natural persons (as opposed to legal persons - registered organisations and businesses) who can be identified or who are identifiable, directly from the information in question or who can be indirectly identified from that information in combination with other information.
You must have a valid lawful basis in order to process personal data. There are six possible lawful bases for processing. No single basis is better or more important than the others, and which basis is most appropriate to use will depend on your purpose and relationship with the individual or client. Most lawful bases require that processing is necessary or legal for a specific purpose. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.
The Information Commissioner has the power to issue a monetary penalty for an infringement of the provisions of Part 3 of the DPA 2018. Any penalty that the ICO issues is intended to be effective, proportionate and dissuasive, and will be decided on a case by case basis. The higher maximum amount, is 20 million Euros (or equivalent in sterling) or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.
The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities. DPOs assist you in monitoring internal compliance, informing and advising you on your data protection obligations, providing advice regarding Data Protection Impact Assessments (DPIAs) and acting as a contact point for data subjects and the supervisory authority. The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
Since the GDPR has direct effect across all EU member states and has already been passed, organisations will still have to comply with this regulation and the ICO will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. As a result of the Data Protection Act 2018 (DPA 2018) was introduced. One important element of the DPA 2018 is that it has a part dealing with processing that does not fall within EU law, for example, where it is related to immigration. It applies GDPR standards but it has been amended to adjust those that would not work in the national context.
The GDPR and the Data Protection Act 2018 set out exemptions from some of the rights and obligations in some circumstances. In some circumstances, the DPA 2018 provides an exemption from particular GDPR provisions. If an exemption applies, you may not have to comply with all the usual rights and obligations. Whether you can rely on an exemption often depends on why you process personal data. Your business should not routinely rely on exemptions but should consider them on a case-by-case basis.
Published on 20 September 2020
Related ArticlesComparing Cyber Essentials to ISO 27001
If you have any further questions or want to learn more about what we can do for your business, please contact us using the link or details below:CONTACT US
Tel: 01908 255 525