Data protection

Data Protection Legislation Principles

  • Data Protection Act (1998): Primary UK law regulating the use of personal data. Aims to protect people’s privacy rights.
  • Eight principles of data protection: The Act hinges on these principles that organisations must adhere to when handling personal data.

Eight Principles

  • Fair and lawful processing: Personal data must be processed fairly and within the confines of the law.
  • Purpose limitation: Data should only be collected for specified, explicit and legitimate purposes.
  • Data minimisation: Collected data must be adequate, relevant and not excessive in relation to the purpose/s they are processed.
  • Accuracy: Personal data should be accurate, and, where necessary, kept up to date.
  • Storage limitation: Keep data for no longer than necessary for the purposes for which the personal data are processed.
  • Integrity and confidentiality: Data must be handled in a manner ensuring appropriate security - including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
  • Accountability: The data controller should not only be compliant but demonstrate compliance with the principles.
  • Rights of Data Subjects: Individual rights to be informed, access data, object to processing, rectify inaccuracies, erasure or ‘right to be forgotten’, data portability, restriction of processing, and automated decision-making and profiling rights.

GDPR

  • General Data Protection Regulation (GDPR): European Union regulation superseding the Data Protection Act 1998, took effect in May 2018.
  • Extra-territorial: GDPR applies to all organisations worldwide that process personal data of EU residents.
  • Tough Penalties: Non-compliance can lead to hefty fines (up to 4% of annual global turnover or €20 Million).

IT Security Measures

  • Firewalls: Protects networks from unauthorised access.
  • Antivirus Software: Helps protect computers from malicious software, or malware.
  • Encryption: Coding information so only authorised users can access it.
  • Back-ups: Make regular copies of files so they can be recovered if originals are lost or damaged.
  • Passwords and access rights: Restricts access to authorised individuals only.
  • Physical security: Protection of hardware against theft or damage (e.g. secure doors, ID cards).

Consequences of lacking Data Protection

  • Financial loss: Due to fines or loss of business.
  • Reputation damage: Employees, customers, and other stakeholders may lose trust.
  • Legal consequences: Potential for litigation and penalties.
  • Operational problems: Data breaches can disrupt normal business operations.