UK data protection: Important basics
We live in a data-rich world.
Sometimes, data protection can seem like unhelpful red tape. At other times, it is critical to cultivating a trustworthy reputation. Either way, organisations face data protection challenges in various spheres – including employment and commercial practice.
Below is a whistle-stop tour of key concepts to keep you grounded as you navigate an evolving and complex field.
Regulation
Different data protection regimes may overlap. Post-Brexit, the UK GDPR is the main regulatory framework for UK organisations – but EU GDPR may still apply, depending on the location of data subjects, and other circumstances.
Data
Personal data is increasingly widespread. The definition is not limited to the obvious – it encompasses anything that can identify an individual, even indirectly.
Types of personal data that are considered particularly sensitive are governed by different rules – and known as “special category data”. This is increasingly relevant as many organisations seek to understand and reflect their stakeholders’ diversity, and grapple with new levels of health disclosures.
Data mapping is vital to providing adequate protection – “what, where, whose and why” are all necessary questions to help see the full picture.
Principles
These are essentially the guard-rails of data protection compliance – keeping them in mind is a fundamental step towards creating a culture that respects the ethos of data protection.
The principles are lawfulness, fairness, and transparency; purpose limitation, data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.
Together, they require an approach to data protection that seeks to promote and protect privacy – a “less is more” mindset, where data processing is restricted to identified purposes that are clearly communicated and based on specific legal justifications, and data retention is limited and secure.
Lawful processing
Following on from a clear understanding of the types of data involved, a lawful basis is needed to carry out processing activities. Different rationales apply in different circumstances.
Rights
Data subjects have several specific rights – the most popular being the subject access request, i.e., where individuals can ask for information about how their data has been processed, and for access to, or copies of, the data involved.
Privacy notices are a result of another key right – the right to be provided with information about data processing in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”.
Other rights include the right to rectification, erasure and to object to and/or restrict processing – which are all routes for individuals to raise concerns about the retention of their data, and the appropriateness and accuracy of its processing.
The right to data portability is a relatively obscure right designed to allow individuals to move their data between organisations freely.
And, as the prevalence of AI increases, another lesser-known right is gaining prominence – the right to object to automated decision-making.
Security
Data protection and cyber security go together, so comprehensive security audits and regular internal training should be on the agenda. This is particularly the case as workplaces become more dispersed and multiple platforms, technologies and devices are used.
But data breaches are not always the result of sophisticated attacks – often human error is just as culpable. It is important that breach processes are clear, so issues can be escalated and resolved and any reporting to the regulator or data subjects can be actioned within the required deadlines.
Sharing and transfers
Data sharing is necessary in many contexts – increasingly so, as organisations outsource various functions to specialist providers and work collaboratively to tackle global issues.
Compliance with data regulations should enhance trust in those commercial relationships. However, on a practical level, navigating different regulatory expectations can be problematic.
International data transfers are restricted. There are additional rules – ranging from how the comparable standards in the importers’ jurisdiction are assessed and evidenced, to the risk assessments, agreements, and obligations necessary to maintain the required levels of data protection. The applicable regimes will depend on the jurisdictions involved.
UK developments
The UK government has signalled its interest in developing “a new direction” for data protection – with an emphasis on supporting innovation, and perhaps an intention to depart from the GDPR in some respects.
However, our alignment to the EU’s position remains an important factor for securing the free flow of data between the EEA and UK and may curb any drastic departures from the existing regime.
Nevertheless, as ways of working continue to evolve, and data becomes increasing embedded across society, we can expect to see more consultations and guidance from the government and the ICO to try to shape and regulate the emerging trends.