Frequently Asked Questions about Data Protection
Is Data Protection impacted by Brexit?
The worst-case scenario was that from January 1st 2021 data being received from the EEA would grind to a halt until businesses had adapted to the restrictions and new measures imposed by the European Union (EU).
Fortunately, we have entered into a bridging period, until at least the end of April 2021, if not June whilst the UK government and EU parliament agree whether the UK’s own Data Protection Act is sufficient enough, providing adequate and relative safeguards as the EU’s General Data Protection act does.
What Can I Do to Prepare?
There are various other things that you should consider, including:
- Nominating a Lead Authority
- Confirming Whether or Not You Need to Appoint an EU or UK Representative
- Reviewing and Updating Policies and Procedures with Respect to the UK and EU GDPR
Do I Need an EU Representative?
You will need to consider in which EU or EEA state your representative will be based and put in an appropriate written mandate for that representative to act on your behalf.
You do not need to appoint a representative if:
- You Are a Public Authority
- Your Processing is Only Occasional, of Low Risk to the Data Protection Rights of Individuals, and Does Not Involve the Large-Scale Use of Special Category or Criminal Offence Data
What is GDPR?
What is the DPA 2018?
It sits alongside the GDPR, and tailors how the GDPR applies in the UK. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner's functions and powers.
Who are the ICO?
The ICO are responsible for promoting good practice in handling personal data and giving advice and guidance on data protection, helping to resolve disputes and enforcing compliance, among other things.
What Are My Business’ Responsibilities?
These principles say (in a summarised form) that personal data shall be:
- Processed Lawfully, Fairly and in a Transparent Manner in relation to the Data Subject ('Lawfulness, Fairness, and Transparency')
- Collected for Specified, Explicit, and Legitimate Purposes, and Not Further Processed in a Manner That Is Incompatible with Those Purposes ('Purpose Limitation')
- Adequate, Relevant, and Limited to What Is Necessary in relation to the Purposes for Which They Are Processed ('Data Minimisation')
- Accurate and, Where Necessary, Kept up to Date ('Accuracy’)
- Kept in a Form Which Permits Identification of Data Subjects for No Longer Than Is Necessary for the Purposes for Which Personal Data Is Processed ('storage Limitation')
- Processed in a Manner That Ensures Appropriate Security of the Personal Data ('Integrity and Confidentiality')
What Are the Benefits of Getting Data Protection Right?
Companies that comply with DP law can find that there is also a positive impact on*:
- Customer Satisfaction
- Customer Trust
- Targeted Leads for Marketing
- Employee Morale
- Reputation and Brand Image
What Is a Personal Data Breach?
What Should We Do If We Discover a Breach Has Occurred?
- Assess the Risks
- Determine If You Need To Report to the ICO
- Determine if You Need to Inform Impacted Individuals
- Document the Breach
- Fix the Breach (and Ensure That There Is No Opportunity for the Breach to Happen Again)
How Long Do We Have to Report a Breach?
If you don't have all the information yet, report what you can within the timescales while you continue to investigate and follow up with supporting information as soon as it is available.
If you take longer than 72 hours, you must inform the ICO of the reasons for the delay. This could have an impact if the ICO decide to take action against your company.
How Long Do We Have to Inform an Individual about a Breach?
You may be obligated to inform the individual within the same 72-hour period as you are required to inform the ICO. However, think about if this were your data and a breach occurred, you'd want to know as soon as possible. That individual may also need to take action to avoid fraud (for example) by changing their bank details so don't delay in informing them.
What Individual Rights Do People Have?
Right to Be Informed
- Individuals have the right to be informed about the collection and use of their personal data. You may see this achieved through privacy notices for example.
Right of Access
- Individuals have the right to obtain confirmation as to whether or not personal data concerning them is being processed, and where that is the case, access to their personal data as well as other supplementary information.
Right to Rectification
- Individuals have the right to have their inaccurate personal data rectified.
Right to Erasure (aka “the Right to Be Forgotten”)
- Individuals have the right to have a controller erase their personal data in certain circumstances.
Right to Restriction of Processing
- Individuals have the right for a controller to restrict processing of their personal data in certain circumstances. This means that the controller will temporarily put a stop to further processing for a particular duration.
Right to Data Portability
- Individuals have the right to receive the personal data concerning them, which they have provided to a controller. They also have the right to have that data transmitted to another controller.
Right to Object
- Individuals have the right to object to the processing of their personal data in certain circumstances.
Rights Related to Automated Decision-Making, including Profiling
- Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
How Long Do We Have To Deal With a Request?
Can We Charge a Fee?
Can the ICO Fine Us If We Don't Comply?
How Much Could We Be Fined?
- €20,000,000, or 4% of Worldwide Turnover (Whichever Is Higher)
- €10,000,000, or 2% of Worldwide Turnover (Whichever Is Higher)
What Factors Will The ICO Take into Consideration When Determining How Much to Fine?
- The Nature, Gravity, and Duration of the Infringement
- Whether the Infringement Is Intentional or Negligent
- Actions Taken to Mitigate the Damage Suffered by Individuals
- The Degree of Cooperation with the ICO
- Whether the Infringement Was Notified to the ICO
- Previous History of Enforcement Action