what information is protected under the data protection act

GDPR | Seers Article

The GDPR regulation of May 25th, 2018 provided much-needed improvements to the Data Protection Act (DPA) of 1998 & 2018. It was felt by many to be long overdue, since the DPA 1998 was no longer considered fit for the purpose for which it was originally designed. The guidelines under the Data Protection Act 2018 stated that a business in the United Kingdom that is collecting, storing or processing an individual’s details and information must adhere to the regulations as defined by the Data Protection Act of 2018For businesses that did not adhere to these regulations, fines could be issued to the organisations of up to £500,000 for failure to comply with the Data Protection Act 2018. Any fines issued under the DPA 2018 were typically for data breaches and very often not issued. However, the Data Protection Act 2018 did not fully cover the changes that took place in the business world particularly, within the technology sector as businesses changed the ways in which they manage and use personal data. With the advent of online shopping, rapid rise of social media due to data analytical tools and online marketing tools using personal data and information from current user trends.

Breach of Data Protection Act 2018 can take place if there is misuse of personal data, illegal processing of personal data, or if a person is unaware that his/her data is in use for online marketing or any other marketing purposes for which the user did not provide their consent to the organisation.

Summarising the principles of the Data Protection Act (DPA) 2018

The Data Protection Act 2018 applies to every business and organisation based in the UK which processes an individual’s personal data and information. A set of guidelines, mainly for self-management, are available for businesses.

The keys points under the Data Protection Act (DPA) 2018 are set out below; these are the fundamental points that businesses need to comply with in order to meet the regulations set out by the DPA 2018. Businesses and organisations must ensure that personal data should be:

  • be used properly and legally;
  • collected, held and processed for only specified purposes;
  • sufficient and relevant and by no means excessive;
  • accurate and kept up to date;
  • should not be retained for an excessive period if it is no longer applicable;
  • an individual’s rights must be protected and not be forgotten when processing data;
  • securely stored and processed;
  • should not be transferred outside of the UK unless sufficient legal protection is in place.

Any business that is found to be in breach of the Data Protection Action 2018 could be at risk of being penalised up to £500,000 by the regulator: Information Commissioner’s Office (ICO). With the urgent need for the Data Protection Act (DPA) 2018 to be reviewed, it was replaced with the EU General Data Protection Regulation (GDPR) in May 2018.  In summary, each and every business in the EU needs to comply with the GDPR law or they could be at risk of hefty fines, possible imprisonment, reputational risk and loss of business. 

data protection actThe General Data Protection Regulation (GDPR)

If you have a business in the EU, then you will be aware of the General Data Protection Regulation (GDPR). The European Commission laid down the basis to reform the data protection regulation to be applied across all member states within the EU in 2012. These reforms were put in place to ensure that Europe is in line with an ever-evolving and modern digital revolution. This necessitated extra protection for users who readily divulge private information online. The new regulation is applicable to all organisations in Europe but also globally for any organisation that transacts with customers in the EU or processes data of individuals within Europe.

What are the main entities of the GDPR?

Under the GDPR there are three data entities:

  1. The data controller can be a single person within an organisation, or it may be a public authority or agency.
    Ultimately, the data controller is the body that determines “the purposes and means of processing of personal data”;
  2. The data processor can be a public body or an individual who carries out the processing of personal data on the controller’s behalf.
  3. Data Protection Officer (DPO) is a new role brought into force by the GDPR. The role of the DPO is “to ensure that an organisation processes the personal data of its staff, customers, data providers or any other individuals (also referred to as data subjects) with GDPR compliance with the applicable data protection rules.”

The GDPR audit places a higher level of responsibility upon processors and controllers who are legally required to ensure that an organisation, its staff members, its customers and any third-party suppliers / contractors / vendors are compliant under GDPR.

  • The GDPR law ensures that there are solid standards for the protection and privacy of data that is held by organisations and that businesses can benefit in this global digital economy in the correct manner.
  • The regulations are developed over many years to manifest how we live in this digital era, mainly while focusing on the areas of protection, privacy and consent.
  • The GDPR law has been designed in such a way to help speed up global business internet usage and ensure that the data privacy rights of individuals are protected.

GDPR and online services

The bottom line is that every aspect of daily life now revolves online, whether it involves:

  • Social networking
  • Online banking
  • Online shopping

These online experiences continue to change and evolve.  The GDPR has been designed to cover existing and new developments efficiently unlike the now out dated DPA 1998. Practically every online service involves the collection and analysis of personal data, and most people are happy to accept and take privacy risks due to the convenience of using online services. Conversely, third party “behind the scene” organisations that track and monitor data online are the primary subject of the GDPR.

These organisations are typically ISPs, (Internet Service Providers), who are legally obliged to track and monitor data to ensure the smooth running of networks and prevent security attacks. ISPs have been permitted in many instances to collect and sell private data without permission and have access to billions of online e-commerce transactions which allows them to analyse data and understand individual buying trends.

The GDPR, at last, has protected an individual’s data and information against such practices. Online conglomerates make it their business to collect data to compose a valuable resource of data to be sold to marketers and advertisers. Companies such as those listed below have been a huge financial success, not just down to the user experience that they offer. But mainly due to their rudimentary business models for advertising and their ability to deliver related adverts to customers based on the previous browsing history.

  • Facebook
  • Google
  • Amazon
  • YouTube

Income is being generated by the likes of Facebook. Each time an advert is delivered to a target user or a link is clicked for example. Every link you click is tracked, and accessed by the likes of Facebook and based on your previous searches and browsing history, these websites can determine exactly what advertising should be displayed to you.

Internet privacy and the question of data collection and storage has been simmering for many years — the fact that data breaches are resulting in stolen or lost information and the negligent sharing of private data. Private data are the chief problem that the GDPR will hopefully resolve. Data breaches have been taking place for years but with the out dated DPA regulations and financial penalties, these were not a sufficient deterrent to the larger online businesses.

✓ Comply or indemnify

The GDPR fines are much higher than the financial penalties unde