Data protection requirements in the UK are covered by the Data Protection Act of 2018. This legislation resulted from the General Data Protection Regulation (GDPR), which was devised by the European Union. The bulk of the GDPR as contained in the Act is expected to be upheld after Britain formally leaves the EU.
While the provisions of the legislation concern the handling of personal data in the UK, the GDPR has wider implications because it extends to how such data is used outside the EU.
It's all about ensuring that people have full control over their data — the information they pass on to companies and organisations when signing up to services, filling in a form or even just visiting a website. The legislation amounts to the most stringent security law globally and has provisions for hefty fines for those who fail to look after the data they collect. So what is covered by data protection? Let's take a look.
Areas Covered by Data Protection
The law on data protection in the UK and around the EU is contained in what are known as "data protection principles". Anyone handling and storing personal data is under a legal obligation to make sure it’s used in a transparent and fair way — and only for the purposes for which it’s intended, not for anything else.
Going further, the principles say that the information that people provide to companies and organisations can only be used in a limited way — that is, carrying out the task for which the data was provided.
Personal data must also be accurate and updated when necessary, and organisations cannot hold onto the information for longer than they need to. Those storing the information are legally bound to ensure it's not lost, damaged or destroyed and that it’s protected against unauthorised use or theft.
Stronger legal measures cover areas such as race and ethnic background, religious beliefs, opinions about politics, genetics and biometrics, health, sexual orientation and membership of trade unions.
Data Protection and Your Rights
Under the data protection legislation, everyone has the right to know what information companies, organisations and even the government has about them. If you make such a request, they are required by law to inform you how they're using your data, allow you access to it, tell you if your data is incorrect and then update it, and delete your data if that is your wish.
You can also ask that your data is not used or processed again or that it's not used in the processing of various or particular services. Members of the public can also object to how their information is being used in different processes.
Provisions for Significant Penalties
Other areas covering your rights include automated decision-making when your data is being used by an organisation, and profiling that attempts to predict what your behaviour might be, including computerised “big data” processes that analyse customer data to forecast what people might purchase in the future.
Fines for breaching data protection rules in the UK can be up to £500,000, while across the EU, financial penalties can be in the tens of millions of euros. The EU maintains a GDPR Enforcement Tracker with updates on the latest data protection offenders and the fines handed out.
ITRM is fully compliant with the data protection legislation, whether you’re visiting our website or having IT support or other services as a client. Read more about our data privacy measures and find out how you’re protected and how we safeguard any information you provide us.