Data protection
Data Protection Legislation Principles
- Data Protection Act (1998): Primary UK law regulating the use of personal data. Aims to protect people’s privacy rights.
- Eight principles of data protection: The Act hinges on these principles that organisations must adhere to when handling personal data.
Eight Principles
- Fair and lawful processing: Personal data must be processed fairly and within the confines of the law.
- Purpose limitation: Data should only be collected for specified, explicit and legitimate purposes.
- Data minimisation: Collected data must be adequate, relevant and not excessive in relation to the purpose/s they are processed.
- Accuracy: Personal data should be accurate, and, where necessary, kept up to date.
- Storage limitation: Keep data for no longer than necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality: Data must be handled in a manner ensuring appropriate security - including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
- Accountability: The data controller should not only be compliant but demonstrate compliance with the principles.
- Rights of Data Subjects: Individual rights to be informed, access data, object to processing, rectify inaccuracies, erasure or ‘right to be forgotten’, data portability, restriction of processing, and automated decision-making and profiling rights.
GDPR
- General Data Protection Regulation (GDPR): European Union regulation superseding the Data Protection Act 1998, took effect in May 2018.
- Extra-territorial: GDPR applies to all organisations worldwide that process personal data of EU residents.
- Tough Penalties: Non-compliance can lead to hefty fines (up to 4% of annual global turnover or €20 Million).
IT Security Measures
- Firewalls: Protects networks from unauthorised access.
- Antivirus Software: Helps protect computers from malicious software, or malware.
- Encryption: Coding information so only authorised users can access it.
- Back-ups: Make regular copies of files so they can be recovered if originals are lost or damaged.
- Passwords and access rights: Restricts access to authorised individuals only.
- Physical security: Protection of hardware against theft or damage (e.g. secure doors, ID cards).
Consequences of lacking Data Protection
- Financial loss: Due to fines or loss of business.
- Reputation damage: Employees, customers, and other stakeholders may lose trust.
- Legal consequences: Potential for litigation and penalties.
- Operational problems: Data breaches can disrupt normal business operations.