Data Protection is the safeguarding of the rights of all individuals to privacy in relation to the processing of their personal data. The processing of data is regulated by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Processing of personal data is defined in GDPR as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
GDPR and the Data Protection Act 2018 govern and protect an individual’s fundamental rights and freedoms, in particular the right to privacy, with regard to the processing of their personal data. GDPR and the Data Protection Act 2018 regulate the processing of personal data to ensure an individual retains effective control over their personal data.
Personal data is defined in GDPR as information relating to an identified or identifiable natural person.
data controller obligations
A Data Controller (an individual or legal person who controls and is responsible for the keeping and use of personal information on computer or in structured manual files) has the following obligations when processing personal data:
Under Data Protection legislation personal data must be
- Processed fairly, lawfully and in a transparent manner (fair, lawful and transparent processing)
- Collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation)
- Adequate, relevant and limited to what is necessary in relation to the purposes for which the personal data are processed (data minimisation)
- Accurate and, where necessary, kept up to date and/or where necessary, erased or rectified without delay (accuracy of data)
- Kept in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation)
- Kept and processed securely and confidentially appropriate to the risk (integrity and confidentiality)
- Processed only where the Data Controller can demonstrate compliance with the requirements of GDPR (accountability).
Rights of Data Subjects
Under GDPR and the Data Protection Act 2018 an individual has a right to be informed as to how their personal data is being processed. An individual has the right to obtain a copy of any information relating to them kept on computer or in a structured manual filing system. There is an obligation on the Data Controller to respond to a request for personal data (subject access request) within one month of receiving the request (or an additional two months in certain limited circumstances).
There are some exemptions and limited circumstances set down in the legislation whereby the Data Controller may not be required to give the data subject information regarding the processing of their personal data or provide the personal data.
The legislation also sets out additional rights of data subjects with regard to their personal data which includes the right of a data subject to rectification of personal data, the right to be forgotten, meaning the right to obtain from the Data Controller the erasure of personal data without undue delay where certain specified grounds apply, the right to restrict further processing of their personal data where specified grounds arise, the right to object to processing.
If a Data Controller does not comply with a valid subject access request from an individual (data subject) or if a data subject is not satisfied with the response they receive from the Data Controller they may make a complaint to the Data Protection Commissioner or institute legal proceedings.
GDPR and the Data Protection Act 2018 provide for significant penalties for Data Controllers (and Data Processors) in the event of a data breach i.e. a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
At Porter Morris, we have the knowledge and experience to advise on all aspects of Data Protection. We advise individuals on making a request under GDPR and the Data Protection Act 2018 and making complaints to the Data Protection Commissioner. We advise Data Controllers and Data Processors on complying with their obligations under Data Protection legislation. We advise Data Controllers and Data Processors on how to respond to requests made by individuals and how to deal with those requests.