Mon - Fri 09.00 - 06.00 Saturday and Sunday ClosedCall Us01159003012Our Address394 Alfreton Road Nottingham, NG7 5NE

Data Security – Data Protection Regulatory Framework

The General Data Protection Regulation (GDPR) (EU 2016/679), which came into force on May 25, 2018, significantly enhanced existing data protection laws. The Data Protection Act (DPA) 2018 also came into effect on May 23, 2018, implementing the GDPR in the UK and expanding its provisions to cover areas such as security services and government bodies not previously included under the GDPR.

Following Brexit, from January 1, 2021, the UK GDPR serves as the retained version of the EU regulation. This framework continues to protect the data rights of UK citizens, while the EU GDPR applies to EU citizens. Organizations that handle data for both UK and EU citizens must comply with both GDPRs.

Key Components of the Data Protection Regulatory Framework

1. Controllers and Processors

The GDPR applies to both controllers and processors of personal data:

  • Controllers determine how and why personal data is processed.
  • Processors act on behalf of the controller to process the data.

Legal Obligations:

  • Controllers must ensure that contracts with processors comply with GDPR.
  • Both controllers and processors are required to maintain records of personal data and processing activities.
  • Processors are liable for any security breaches.

For detailed documentation requirements, refer to our factsheet on GDPR Compliance.

2. Data Protection Principles

Personal data must be:

  • Processed lawfully, fairly, and transparently.
  • Collected for specified, explicit, and legitimate purposes.
  • Adequate, relevant, and limited to what is necessary for its purpose.
  • Accurate and kept up to date, with measures in place to rectify inaccuracies.
  • Retained only for as long as necessary for processing.
  • Processed securely, protecting it from unauthorized access, accidental loss, or destruction.

3. GDPR Rights for Individuals

Individuals have several rights under the GDPR, including:

  • Right to be Informed: Individuals must be informed about how their data will be processed through privacy notices detailing the controller, data sources, recipients, data transfers, and retention periods.
  • Right of Access: Individuals can request confirmation of data processing and access their personal data, which must be provided within 30 days without charge, unless requests are excessive or repetitive.
  • Right to Rectification: Individuals can request corrections to inaccurate or incomplete personal data.
  • Right to Erasure: Individuals can request deletion of their personal data when there is no compelling reason to continue processing, subject to certain exceptions.
  • Right to Restrict Processing: Individuals can request that their data be stored but not processed.
  • Right to Data Portability: Individuals can obtain their data in a structured, machine-readable format and reuse it across services.
  • Right to Object: Individuals can object to data processing, which must cease unless there are compelling legitimate grounds for processing.
  • Rights in Relation to Automated Decision Making: Individuals have the right to safeguards against damaging decisions made without human intervention, including profiling.

4. Accountability and Governance

Organizations must demonstrate accountability by:

  • Implementing measures that meet data protection principles.
  • Documenting policies and procedures for data storage and processing.
  • Implementing technical and organizational measures to ensure compliance.
  • Appointing a Data Protection Officer when necessary.

Refer to our factsheet on Ensuring Data Protection Compliance for more details.

5. Lawfulness of Processing

Organizations must understand and document the lawful basis for processing personal data, which includes:

  1. Consent
  2. Contractual Obligation
  3. Legal Obligation
  4. Vital Interests
  5. Public Interest
  6. Legitimate Interests

Consent must be specific, unambiguous, and freely given. Businesses should capture the date, time, method, and wording used for consent.

Guidance on ICO Consent: When relying on legitimate interests, organizations must ensure there is a clear basis for processing and that individuals’ rights are considered.

6. Notification of Breaches

A personal data breach refers to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data. The ICO (Information Commissioner’s Office) provides an online self-assessment tool to determine the severity of a breach and whether it needs reporting. Some breaches must be reported to the supervisory authority within 72 hours.

ICO Personal Data Breach Assessment Guidance:

7. Data Transfer Regulations

On June 28, 2021, the EU Commission adopted an adequacy decision for the UK, allowing most data to flow between the UK and EU/EEA without additional safeguards (excluding immigration control data).

When transferring data to a third country, additional safeguards such as Standard Contractual Clauses or Binding Corporate Rules may apply.

Resources:

Conclusion

The GDPR and the UK DPA establish a comprehensive framework for data protection that organizations must adhere to in order to safeguard personal data effectively. Compliance is not just about meeting legal obligations; it also builds trust with customers and stakeholders. If your organization needs assistance in navigating these regulations, contact AHACCOUNTANTS for expert guidance.