The UK General Data Protection Regulation (GDPR) adopts the previous EU GDPR with some tailormade technical amendments made under the Data Protection Act 2018. All businesses and organizations in the United Kingdom, who handle personal data, have to comply with the legal framework.
UK GDPR sets out data protection principles, rights and obligations. These are important and embody the spirit of the general data protection regime in the UK.
It applies to the ‘controller’(person who determines the purposes and means of processing personal data) and ‘processors’ (processing personal data on behalf of the controller) of personal data.
It also applies to organizations outside the UK that offers goods or services to individuals in the UK. Certain activities are exempted, such as national security purposes processed by the Law Enforcement Directive.
There are 7 key principles guiding the approach to processing personal data:
– Lawfulness, fairness and transparency
– Purpose limitation – data is collected for specified, explicit and legitimate purposes
– Date minimisation – adequate, relevant and limited to what is necessary
– Accuracy – accurate and up to date; and inaccurate personal data to be erased or rectified
– Storage limitation – kept in a form which permits identification for no longer than is necessary but may be stored for longer periods in certain circumstances (including public interest)
– Integrity and confidentiality (security) – appropriate measures to protect against unauthorized or unlawful processing, accidental loss, destruction or damage
– Accountability – controller shall be responsible for compliance with data protection law
There must be a valid lawful basis in order to process personal data. There are six lawful bases for the processing are:
– Consent – clear consent given by individual for a specific purpose
– Contract – necessary for a contract with the individual
– Legal obligation – necessary to comply with the law
– Vital interests – necessary to protect someone’s life
– Public task – necessary to perform a task in the public interest which has a clear basis in law
– Legitimate interests – necessary for the legitimate interests of the controller/processor or the legitimate interests of a third party (unless there is a good reason to protect the personal data which overrides those legitimate interests).
The UK GDPR provides the following eight individual rights:
– Right to be informed – individuals to be informed of the collection and use of their personal data, including the purpose for processing.
– Right of access – request by data subject should be responded to within one month from receipt of request
– Right to rectification – request to rectify inaccurate or incomplete personal data should be responded to within one month
– Right to erasure – this is also known as ‘the right to be forgotten’, which is not an absolute right and only applies in certain circumstances
– Right to restrict processing – request to restrict processing of personal data in certain circumstances – an alternative to requesting erasure
– Right to data portability – allow individuals to obtain and reuse their personal data for their own purposes across different services, i.e. moving, copying or transferring personal data from one IT environment to another
– Right to object – objection to the processing of personal data in certain circumstances should be responded to within one month. The right to object processing data for direct marketing is an absolute right.
– Rights in relation to automated decision making and profiling – these may generally be understood as AI data processing without human involvement (such as online decision to grant a loan or a recruitment aptitude test using pre-programmed algorithms and criteria). Except in certain circumstances, individuals have the right not to subject to such automated decision including profiling which produces legal effects concerning them or significantly affect them.
Organizations have a duty to report certain data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible, and promptly inform the affected individuals if the breach is likely to result in high risk of adversely affecting the individuals’ rights and freedom.