The EU General Data Protection Regulation (GDPR) and the UK Data Protection Act (DPA) both came into effect on 25th May 2018. The DPA sits alongside the GDPR and tailors how it applies to the UK.
The GDPR is a piece of legislation that came to force in order to unify data protection laws across Europe. It puts in place a wide range of requirements on controllers and processors of personally identifiable information (PII). Article 5(1) and 5(2) of the legislation provide seven principles for the processing of personal data.
Seven principles for the processing of personal data
- Processed lawfully, fairly and in a transparent manner in relation to individuals
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
- Adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed
- Accurate and where necessary kept up to date
- Kept in a form which permits identification of the data subjects for no longer than is necessary for the purpose for which the personal data processed
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing against accidental loss, destruction or damage, using appropriate technical or organisational measures
- The controller shall be responsible for and be able to demonstrate compliance with the above principles.
The GDPR further provides the data subjects with eight rights:
- The right to be informed about the collection and use of their personal data
- The right to access their personal data
- The right for individuals to have inaccurate personal data rectified, or completed if it is incomplete
- The right to have their personal data erased
- The right to restrict processing of their personal data
- The right to data portability allowing them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability
- The right to object to the processing of their personal data in certain circumstances
- Rights in relation to automated decision making and profiling
Throughout the GDPR, there is a consistent need for taking a risk-based approach to all elements of data processing, including the security of the data.