Any given subject usually comes with its own set of acronyms and jargon. A quick scan through our own website and service offerings such as data protection, proves just that. It makes sense to us, because we live it every day but if you’re just trying to get on with running your business and data protection is not your area of expertise, reading through our services and blog pages can quickly become a bit daunting. So, here is a key list of the most common data protection terms to help you get started.
The General Data Protection Regulation (2016/679) is a European Regulation designed to protect the privacy of citizens in the European Union and European Economic Area, and to give individuals control over how their personal data is used. It’s purpose was to harmonise the various data protection legislation across the EU and came in to force on the 25th May 2018.
The Data Protection Act 2018 is a British law which governs the use of the personal information of British citizens. It complements the GDPR and came into force on the 23rd May 2018. When dealing with UK Citizens, the GDPR and DPA18 should both be referred to jointly.
The United Kingdom General Data Protection Regulation retains the GDPR in UK domestic law now the transition period has ended and the UK has left the EU, but the UK has the independence to keep the framework under review. The ‘UK GDPR’ sits alongside an amended version of the DPA 2018. The key principles, rights and obligations remain the same. However, there are implications for the rules on transfers of personal data between the UK and the EEA.
Under the GDPR’s e-privacy directive there are specific rules concerning individuals’ privacy rights in relation to electronic communications such as emails and cookies. The UK has incorporated this directive into UK law via the PECR – Privacy and Electronic Communications Regulation 2003. There is cross over between the GDPR and PECR so both should be consulted jointly, especially when marketing to individuals
Any information (information is also referred to as data) of an identified or identifiable natural person. As well as the obvious ‘name’, this includes reference numbers, online identifiers, location data, physical, physiological, mental, genetic, economic, cultural or social information that can be used on its own or put together to identify that person.
A living person (the deceased do not have data privacy rights).
Natural person (see above).
There is a distinction between those that ‘control’ data and those that ‘process’ it. The distinction is important because there are slightly different requirements applied depending on which you are. The data ‘controller’ is the natural or legal person, public authority, agency or other body which alone or in conjunction with others determines why the data is needed, (the purpose) and how it will be processed. If you’re a controller, then you’ll also be a processor. To use an analogy of driving a car, if you’re the driver then you could also be considered a passenger. All passengers have to wear a seatbelt but if you’re a driver then you have other tasks and requirements to meet.
The data ‘processor’ is any natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. The processor would be a third-party supplying a service to the controller.
European Data Protection Board. The EDPB is an independent European body which ensures all member states apply the GDPR correctly and consistently. It is made up of representatives from the supervisory bodies of the individual member states, (the UK representative is the Information Commissioners Office (ICO)).
Information Commissioner’s Office is the UK’s Independent public body which governs and upholds data protection laws. The ICO falls under the government department for Digital, Culture, Media and Sport. It investigates breaches to data protection law and can issue fines in line with the UK GDPR to offending natural persons, organisations, agencies or bodies.
If you control or process the personal information of UK citizens on any electronic device including CCTV for crime prevention, you will most likely have to pay the annual fee to the ICO. You can check if you have to pay by using the ICO’s self-assessment checker here. If you become aware of a data breach within your organisation you may be required to report it to the ICO.
Subject Access Request (SAR)
Individuals have the right to ask you what personal information your organisation holds on them. You have to respond within one calendar month of receiving their request unless the request is complex or you have many concurrent requests, in which case you can extend the deadline to three calendar months as long as you inform the data subject of the delay and state your reason.
Legitimate Interest Assessment (LIA)
Under the GDPR there are six lawful bases upon which you can process data. Consent for example is one of the lawful bases which requires a data subject to give you permission to process their data. ‘Legitimate Interest’ is a lawful basis whereby you can process personal data if you deem it necessary to carry out your business but to justify your decision, you have to weigh up the rights and freedoms of the individual with the purpose for which you believe you need to process the data. This requires you to carry out a Legitimate Interest Assessment. If you process data under the basis of Legitimate Interest, it is a legal requirement to carry out an LIA. We have more detail on this here.
Data Protection Impact Assessment (DPIA)
If you process high risk data such as biometric data (a full list of types of high-risk data can be found here), it is a legal requirement under the GDPR to carry out a Data Protection Impact Assessment. The aim of the DPIA is to help you clarify what personal data you control and why you need it so that you can either justify why you’re collecting it or decide to stop collecting it.
Record of Processing Activities (RoPA)
Under the GDPR, if your organisation processes personal data, you must create a Record of Processing Activities and keep it up to date. This document lists all the types of personal data that your organisation controls and/or processes. We have a detailed explanation here.
If you process personal data, you must make it clear to the data subject what data you are processing, why you need it, under what lawful basis you are collecting it, how long you intend to keep it, what third parties you send it do, why and what they will be doing with it. Your Privacy notice must be easily accessible and written in a clear and transparent way. We have more detail on how to write privacy notices here.
Sometimes businesses that process personal data of citizens in the EU and EEA, need to send that data to a supplier outside of the EEA where it loses the protection of the GDPR. This could be as simple as the cloud provider you are using being based outside of the EEA. In certain circumstances, such as the EU commission determining that a country has adequate data protection standards, this is permitted by the GDPR and is referred to as a ‘restricted transfer’. If there is no adequacy decision you have to ensure that certain safeguards are in place such as a contractual agreement. The ICO explains in detail here.
If you are trying to clarify whether you are at risk of a data breach, or want to discuss what your business needs in order to prevent a breach, we can help. Contact us for a no-obligation chat.