From supermarkets to travel agencies to virtually any organisation with an advanced marketing strategy, it’s common for organisations to collect personal data nowadays. But if you do collect client data, you must be careful how you handle it. A failure to do so correctly can result in significant fines.
The legislation that gives people control over how organisations use their personal data is called the Data Protection Act 2018. The law was passed post-Brexit to ensure that vital protections granted by the EU’s General Data Protection Regulations (GDPR), remained relevant in the UK. The UK version has also been referred to as UK GDPR, and is largely similar to EU GDPR.
In this article, we will explore what this law is and how it works to ensure you are respecting the rights of your clients and remain above the law.
Why the Data Protection Act 2018 Was Introduced
As mentioned, the Data Protection Act aligns the UK’s data protection framework with the GDPR to prevent the misuse of personal data, protect privacy and keep personal information secure.
The 2020 EasyJet data breach illustrates why the UK introduced the Data Protection Act 2018.
Hackers exploited a vulnerability in the airline’s security systems to gain access to email addresses, travel details and credit card information. The breach exposed the personal information of over 9 million customers, putting them at risk of identity theft and financial fraud.
As a result, EasyJet was fined £25 million by the UK’s data protection regulator and faced a number of class-action lawsuits from affected customers.
This incident highlights the importance of strong cybersecurity measures and the potential consequences of failing to protect customer data.
The Data Protection Act 2018 is essential to prevent the misuse or exploitation of personal data, protect people’s privacy, and keep their personal information secure.
Who Can Conduct a Risk Assessment?
Risk assessments can be performed by the employer or a manager, supervisor, employee or a third-party contractor. The person conducting the risk assessment must be deemed to be competent to perform the risk assessment. A ‘competent person’ must have a sufficient level of experience, training or other qualities that allow them to perform their duties to a reasonable standard.
Although an employer can delegate the task of conducting a risk assessment, they must bear in mind that legally, the responsibility lies with them. This means that the employer is legally responsible for ensuring that it is carried out correctly and that all control measures are implemented properly.
How Does the Data Protection Act 2018 Affect You and Your Personal Data?
The Data Protection Act 2018 provides individuals with increased authority over their personal data. Here are a few key points:
- You have more control over your data: You can request to see, correct, or delete the data that an organisation has about you.
- Organisations must protect your data: They have a legal obligation to protect your personal data from unauthorised access or theft.
- You can hold organisations accountable: You have the right to make a complaint to the Information Commissioner’s Office (ICO) if an organisation mishandles your personal data.
- The Data Protection Act 2018 applies to all organisations that collect and process personal data.
- The law applies to all types of personal data including your name, address, email address, phone number, date of birth and more.
By understanding the Data Protection Act 2018 and your rights, you can take control of your personal data and ensure that it is being used responsibly and kept safe.
Key Principles of The Data Protection Act 2018
The Data Protection Act key principles are the main principles that organisations must follow when collecting and processing personal data. They must:
- Be open and honest about how they use data
- Collect data only for specific reasons and not use it for anything else
- Limit the amount of data collected to what’s necessary
- Keep data accurate and up-to-date
- Only keep data for as long as it’s needed
- Keep data safe and secure
- Be accountable and able to demonstrate that they follow the rules
Following these principles is crucial for protecting people’s privacy and ensuring organisations are using personal data responsibly. By adhering to these principles, organisations can build trust with their customers and avoid violating the law.
What Are Your Rights Under the Data Protection Act 2018?
The Data Protection Act 2018 gives individuals more control over their personal data. Seven rights of individuals under the Act are:
Right to be informed: You have the right to know how your personal data is being used.
Right of access: You have the right to access the personal data an organisation holds about you.
Right to rectification: You have the right to have your personal data corrected if it’s inaccurate or incomplete.
Right to erasure: You have the right to request that an organisation deletes your personal data.
Right to restrict processing: You have the right to request that an organisation stops processing your personal data temporarily.
Right to data portability: You have the right to request that an organisation transfers your personal data to another organisation.
Right to object: You have the right to object to the processing of your personal data.
If you have any concerns or questions about how an organisation is using your personal data, you can make a complaint to the Information Commissioner’s Office (ICO), who will investigate the matter on your behalf.
Ensuring Compliance with The Data Protection Act 2018:
Tips for Businesses:
- Conduct a Data Protection Impact Assessment (DPIA)
- Implement appropriate technical and organisational measures to protect data
- Appoint a Data Protection Officer (DPO)
Tips for Individuals:
- Know your rights
- Be cautious about sharing personal data
- Report data breaches
Tips to keep data safe:
- Use strong passwords
- Be careful what you share online
- Check privacy settings on social media and other online platforms
By understanding your rights under the law and taking steps to protect your personal data, you can ensure that it’s being used responsibly and kept safe.
The Key Takeaways of the Data Protection Act 2018
The Data Protection Act 2018 is a law that regulates the collection and processing of personal data. It gives individuals control over their personal data and holds organisations accountable for protecting it.
If you want to learn more about GDPR compliance and ensure that your employees are always on the lookout for data breaches, Human Focus offers a comprehensive GDPR training course. It covers the principles of the legislation, how to protect personal data and gives you an understanding of the consequences of non-compliance.
About the author(s)
Kurt