Clarkson Wright and Jakes Ltd Banner Image

Insights

Data protection principles under the GDPR

Data protection has until now largely been regulated in the EU under a 1995 directive that controls the processing of personal data—EU Member States each had to adopt their own national legislation to implement this directive. In the UK, this took the form of the Data Protection Act 1998 (DPA 1998).

In 2012 the European Commission began a legislative reform process with the objective of significantly overhauling the 1995 rules to catch up with the huge advances of the digital age. The General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, is designed to achieve this. It would be a mistake for UK businesses to consider that by the United Kingdom leaving the EU would mean that they do not need to comply with GDPR. The GDPR will come into force before any exit process is concluded, and equivalent legislation may well be retained thereafter in substantially the same form, and any person or organisation that handles personal data either as a data controller or as a data processor must comply with the core principles of the GDPR. The principles are broadly similar to those set out under the DPA 1998, but with added detail at certain points.

The GDPR has seven principles, being:

Principle 1: Lawfulness, fairness and transparency – personal data must be ‘processed lawfully, fairly, and in a transparent manner in relation to the data subject’. The principle is broadly similar to that contained in the DPA 1998, however the GDPR now expressly states that data should be processed in a 'transparent manner' which includes giving data subjects adequate information about how their data is processed.

Principle 2: Purpose limitation – personal data must be collected for a specified, explicit and legitimate purpose, and must not be further processed in a manner that is incompatible with those purposes.

Principle 3: Data minimisation – personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

Principle 4: Accuracy – personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that where personal data is inaccurate it is erased or rectified without delay.

Principle 5: Storage limitation – personal data must be kept in a form which permits identification of data subjects for no longer than is necessary.

Principle 6: Integrity and confidentiality – personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisation measures.

Principle 7: Accountability – a data controller shall be responsible for, and be able to demonstrate compliance with the GDPR data protection principles. This is one of the most significant changes under the GDPR. The GDPR requires an organisation to show how it is complying with the principles – for example, by documenting the decisions it takes on processing activities.

Preparing and responding to a data breach

Under the provisions of the GDPR, a breach could lead to a fine of up to €20 million or 4% of a data controller or data processor’s global turnover. Given the substantial fines they may face, it’s essential that all data controllers and data processors prepare for any such breach. They should consider:

  • having a clear incident response plan;
  • having a pre-selected incident response team leader;
  • using outside advisors selected in advance (such as legal advisers, fraud protection providers, forensic investigators, public relations experts);
  • separating Information Security and Information Technology functions;
  • whether their insurance coverage is adequate and appropriate;
  • conducting regular incident response drills;
  • checking the terms and conditions of their website;
  • checking employee policies and procedures; and
  • developing relationships with law enforcement authorities before any incident.

In the event that there is a breach of GDPR, any business should ensure that:

  • the response team leader is immediately notified;
  • outside forensic investigators are retained to determine the extent of any breach;
  • internal IT departments are not tasked with investigation of any breach;
  • insurance coverage is checked;
  • consideration is given to notifying law enforcement bodies;
  • any required breach/incident notifications are made (without notifying prematurely or excessively);
  • it considers when/how to notify employees;
  • a person is designated to handle external communications;
  • it considers posting a notice concerning the breach on its company website;
  • it considers the impact of any stolen intellectual property/trade secrets; and
  • ongoing record is maintained of response steps and follow up.

 

Although correct at the time of publication, the contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article. Please contact us for the latest legal position.