Professional Documents
Culture Documents
ifoaDP 2019
ifoaDP 2019
1 INTRODUCTION
This guide deals with the position in the UK, but due to harmonisation the rules throughout
the EU are similar.
Data about persons or businesses has always been a valuable and sensitive commodity,
but in the last 30 years or so, the exponential growth and availability of computer systems to
assemble, arrange and transfer data have posed a challenge for legal systems worldwide.
The demand for such data is insatiable, and to allow unrestricted holding of, and access to,
it would rapidly lead to chaos and criminality. The only applicable English law, prior to the
recent information explosion, worked on the basis of the protection of confidence, and there
was little statutory control of data beyond that. That case law has the broad effect of treating
certain confidential information as being within the reach and protection of the equitable
jurisdiction. This was completely inadequate to deal with the huge proliferation of potentially
accessible databases, containing mundane but highly valuable information. After major
investigations and various government reports, coupled with the need to have legal
protections compatible with those of the rest of the EU, the Data Protection Act 1984 was
enacted. This Act was regulatory in effect and it could not cover paper-based systems; it set
out certain guiding principles and its enforcement was largely in the hands of a Data
Protection Registrar, with some compensation available for affected individuals. Its effect
was to make the handling of personal information subject to controls which had not existed
before
After the 1984 Act came the Data Protection Act 1998, which was enacted pursuant to the
European Data Protection Directive of 1995 (95/46/EC). The aim of the Directive (and thus
the Act) was to give no more protection to data processing than was commensurate with a
balance between the rights of natural persons and the maintenance of a free market within
the EU, by harmonising national legal rules. The Directive was replaced by the General Data
Protection Regulation (GDPR) in 2018. The GDPR was designed to reshape the way in which
data is used across Europe, with a greater emphasis on the privacy of the individual. GDPR
applies to businesses in the EU and businesses outside the EU that offer goods or services or
monitor individuals in the EU.
The GDPR, as with all EU Regulations, applies across Europe; however, it allows Member
States limited opportunities to make provision for how it applies in their countries. It is
therefore backed up in most Member States by national legislation. In the UK, this comes in
the form of the Data Protection Act 2018. This 1998 Act has one eye on Brexit (which at the
time of writing is being negotiated) as, to a large extent, it brings the GDPR into UK legislation
in a way which would not be necessary were we to remain part of the EU (as we would be
subject to the GDPR itself). It also goes beyond the GDPR, however, as it applies a broadly
equivalent regime to certain types of data processing to which the GDPR does not apply.
This guide looks at UK data protection (and by extension EU data protection). It is said that
Europe has the most comprehensive data protection rules in the world. Some jurisdictions
such as India have no specific data protection laws, are not signed up to any international
treaties or conventions and have no regulator dealing with data protection. However, it is not
to say that India does not protect personal data. The Information Technology Act 2000 gives
rights to compensation for improper disclosure of personal data. There is also a common law
of confidence which also protects data to some extent. The US has data protection provisions
but they are complex and to some extent fractured with some states, e.g California having a
data protection act whilst others do not. At a federal level children’s data is protected.
1.1 Data Protection Act (DPA) 2018
The aim of the GDPR (and thus the 2018 Act) is to protect the public from privacy and data
breaches in an increasingly data-driven world. The level of data use in 2018 is way above its
As mentioned above, for the purposes of this guide we will concentrate on the provisions of
the DPA 2018 as they affect the relationship between the individual and those who process
our personal data in the commercial world. In this regard the effects of the DPA 2018 fall into
two categories. The first is to allow individuals access to information held about them, for
example the information held about people by credit reference agencies. This may be
inaccurate and a person would probably want to correct such inaccuracies. The second effect
is to protect information about individuals from being disclosed improperly. So, if you give
your bank or gas supplier certain information, you might not want them to disclose that
information to another business, for example an insurance company, without your consent.
Such information is very valuable commercially, and it should not be available for sale without
your consent.
To understand the workings of the 2018 Act, it is necessary first to look at some definitions
which are closely interdependent, and then to examine the principles of good practice (see
2.2.2).
2.2.1 The definitions of ‘controller’, ‘processor’ ‘personal data’ and ‘processing’
‘Controller’ means the natural or legal person, public authority, agency or other body
which, alone or jointly with others, determines the purposes and means of the
processing of personal data. A processor is capable of acting independently in respect
Again, in the field of commerce, the DPA 2018 largely adheres to the provisions of the GDPR
in terms of the rights of the data subject. Therefore, in the discussion below, reference has
been made where appropriate to the relevant articles of the GDPR which are applied via Part
2, Chapter 2 of the DPA 2018.
There are eight rights which data subjects have under Chapter 3 of the GDPR:
(1) The right to be informed. Individuals have the right to be informed about the
collection and use of their personal data. At the time the data is collected,
the individual must be provided with information including the purpose for
processing it, the retention period for it, and who it will be shared with. If
information on an individual is obtained from another source, the
controller/processor must provide the individual with privacy information
within a maximum of a month.
(2) The right of access. Individuals have a right to access their personal data,
and this request may be made verbally or in writing. Requests must be
As we saw at 2.2.2, data controllers must abide by the data protection principles. The two
principles of most concern in regard to disclosure of personal data are the first two, namely
that data must be fairly and lawfully processed, and processed for legitimate purposes. In
addition, the controller must implement appropriate technical and organisational measures to
ensure and to be able to demonstrate that processing is performed in accordance with the
GDPR (GDPR, Article 24). This obligation essentially requires a data controller to be able to
show that its systems are robust and demonstrably able to comply with the principles.
Controllers need to have systems which ensure that only personal data which is necessary for
each specific purpose of the processing is processed. These systems must control the
amount of personal data collected, the extent of the processing, the period of storage and its
accessibility. There are recommendations in the GDPR for national codes of conduct and
certification schemes to encourage best practice in the handling of data.
The GDPR specifically envisages controllers using processors, who carry out processing on
behalf of the controller. According to Article 28, the controller shall use only processors who
provide sufficient guarantees to implement appropriate technical and organisational measures
that will meet the demands of the GDPR. The GDPR is very clear that the processor should
not process data except on the instructions of the controller (unless the law directs otherwise).
The controller, or its processor, must keep accurate records (according to GDPR, Article 30)
QUESTIONS
1. What is the relationship between GDPR and the Data Protection Act 2018?
2. Does GDPR apply only to businesses in the EU?
3. Is a cloud storage provider likely to be a controller or processor of data?
4. A client passes data to a firm of actuaries so the firm can give him professional advice. Is
the firm likely to be a controller or processor of the data?
5. Is data about a criminal conviction a special category of sensitive data under GDPR?
6. If there has been a data breach how long has a controller got to notify the supervisory
authorities of breach?
7. What is the maximum that can be levied for breaches of data protection rules?
8. What is the main distinction that can be drawn between the Data Protection Act 2018 and
the Freedom of Information Act 2000?
9. Does the Data Protection Act cover data which might identify a company?
10. What is an ‘information notice’? What is an ‘assessment notice’?
ANSWERS
1. The GDPR applies across all members of the EU. It allows member countries to build on
the rights in it in some cases. The Data Protection Act 2018 would have been a short statute
building on GDPR rights if Brexit was not happening. However, Brexit means the Data
Protection Act 2018 brings GDPR into domestic legislation to align with the EU after Brexit.
The Data Protection Act 2018 therefore both repeats GDPR in domestic form and also builds
on GDPR
2. No. GDPR can apply to businesses outside the EU that offer goods or services in the EU or
monitor individuals in the EU.
3. A cloud storage provider is likely to be acting as a processor as it stores data in behalf of a
controller.
4. The firm is likely to be a controller. The firm is likely to be able to act independently with the
data in order to give effective advice to the client.
5. No. Under GDPR data about criminal convictions is not special category sensitive
information. However, the Data Protection Act 2018 extends special category status to data
about criminal convictions.
6. 72 hours. It is worth noting that the 72 hours includes non-working days such as weekends
and bank holidays.
7. The maximum fine depends on the nature of the breach. The higher maximum fine for
breaches of information notices, assessment notices or enforcement notices is up to
€20m/4% (whichever is higher) of annual worldwide turnover. For other breaches it is
€10m/2% of annual worldwide turnover.
8. The Data Protection Act 2018 deals with private protection of personal data. The Freedom
of Information Act 2000 deals with public access to government information.
9. No. The Act only includes data which might identify an individual.
10. An information notice is a notice issued by the Information Commissioner which requires a
controller or processor to provide information to the Information Commissioner to enable the
Information Commissioner to decide whether a breach has occurred. An assessment notice is
a notice issued by the Information Commissioner to a controller of processor to allow the
Information Commissioner to assess whether a controller or purchaser has complied with
their legal obligations.