What is personal data?
Before looking into the regulations around information security, it’s vital to understand what personal data is. The Data Protection Act 1998 (DPA) — the primary piece of legislation that currently governs information security in the UK — defines personal data as:
“…data which relate to a living individual who can be identified —
- from those data, or
- from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”
And for information to be classified as ‘sensitive personal data’, it contains information about the subject such as:
- racial or ethnic origin
- political opinions
- religious beliefs
- physical or mental health condition
- criminal convictions
What protects personal data?
Data Protection Act 1998 (DPA)
The main piece of legislation that currently governs information security in the UK is the DPA. Based on European law, it is designed to protect individuals’ personal data — in particular, stipulating that it may only be used for the purpose for which it was collected and may not be disclosed to third parties without the individual’s consent.
The DPA is underpinned by 8 guiding principles. When it comes to businesses, it is the 7th principle that must be adhered to by law. It states:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
Specifically, organisations need to ensure:
- the measures meet a level of security appropriate to both:
- the harm that might result from theft, loss, damage or destruction of the data
- the nature of the data to be protected
- the reliability of any employees who have access to the personal data
- the implementation of appropriate physical and technical security, protected by robust policies, procedures and trained staff
- they are sufficiently prepared to respond to security breaches swiftly and effectively.
Since 2010, the Information Commissioner’s Office (ICO) has had the power to fine organisations up to £500,000 for serious breaches of the DPA.
Data Protection Bill
The Data Protection Bill — the UK’s third generation of data protection law — was introduced in September 2017 in a bid to update data protection laws for the digital age.
According to the government, the bill sets out to:
- make our data protection laws fit for the digital age in which an ever increasing amount of data is being processed
- empower people to take control of their data
- support UK businesses and organisations through the change
- ensure the UK is prepared for the future after we have left the EU.
You can view the Data Protection Bill in full on the parliament website.
Because the bill has already been passed and has direct effect across all EU member states, organisations are still expected to comply with this regulation, as well as adhering to the legal obligations of the General Data Protection Regulation (GDPR), which comes into force in April 2018.
See the section below for further information about the GDPR.
General Data Protection Regulation (GDPR)
The General Data Protection Regulation GDPR is the new EU data law, which will completely replace the DPA on 25 May 2018. It will apply to all companies in the EU, including the UK post-Brexit, and increase regulatory powers for the ICO, which enforces the laws that govern privacy.
The change in legislation is likely to mean UK organisations will need to review and amend their document retention and destruction policies to ensure compliance, so it’s vital to understand the requirements ahead of its enforcement.
Some of the key changes to the DPA are as follows:
- Regulatory fines – to be increased to a maximum of €20,000 or 4% of global turnover with a two-tier fine system introduced.
- Accountability – companies will need to justify, document and evidence their actions and decisions.
- Consent – this will be more difficult to obtain and must be clear and recorded.
- Data processors – accountability for processors will be increased.
- Data subjects’ rights – giving individuals complete control over their personal data, including:
- right to be informed
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- rights in relation to profiling
- Fair processing/privacy notices – further information will be required and should be concise, transparent, easily accessible and free of charge.
- Breach reporting – a notifiable breach will need to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. Robust breach detection, investigation and internal reporting procedures will be highly important.
- Registration requirements – there will be no requirement to register with the Information Commissioner’s Office.
What if you’re a small business?
If you’re self-employed or run a small business, you still have a duty to comply with data protection law and prepare for the GDPR.
The ICO offers advice specifically for small businesses – including a self-assessment toolkit – but in general the DPA stipulates that if you hold and process personal data about your clients, employees or suppliers, you must:
- only collect information that you need for a specific purpose
- keep it secure
- ensure it is relevant and up to date
- only hold as much data as you need, and only for as long as you need it
- allow the subject of the information to see it on request.