Data Protection Compliance

What is the ICO?

The Information Commissioner’s Office (ICO) is a non-departmental public body that reports to the Parliament of the United Kingdom that manages data protection legislation.

The role of the ICO is that of an independent official appointed by the crown as a regulatory office concerning National Data Protection in the form of The Data Protection Act 2018 (DPA, 2018).

What does the Data Protection Act Cover?

The DPA 2018 sets out a specific framework for data protection in the UK. It replaces The Data Protection Act 1998. Data protection can be defined as the process of safeguarding important information from corruption, compromise and/or loss.

The DPA 2018 outlines the rights of the individual regarding their data. As such, the data protection compliance undertaken by businesses, organisations and government

What Does the DOA Include?

  • Making sure any information that is kept is up to date, kept secure and is accurate to what it pertains to.
  • When someone’s personal data is collected they must be informed on how it will be used and if it will be shared with other organisations.
  • An individual also has the right to see any information a business or organisation hold about them.
  • The individual has the right and ability to correct inaccurate information.
  • The individual has the right request their data be erased.
  • An individual has the right request that their data is not used for certain purposes.

How Does the Data Protection Act Work With GDPR?

In turn, the DPA 2018 coexists alongside the UK General Data Protection Regulation.

Article 5 of UK GDPR lays out 7 key principles for obtaining, storing and using data that has been collected by any business, organisation or government.

Businesses and other organisations are required to keep records of their data processing activities for specific purposes.

This is called ‘Documentation’ and is integral to supporting good data governance. If requested by the ICO, a business or organisation must make all records available in order to comply with the UK GDPR.

There is a list of information that should be documented under Article 30 of the UK GDPR in order to comply with the key principles outlined in Article 5.

What DPA/GDPR Compliance Measures Need to be Taken?

Not only is documenting data processing a legal requirement in the UK, but it also demonstrates compliance with other areas of UK GDPR.

There are some specific areas of documentation within businesses that should be adhered to in order to comply properly:

  • Data Controllers and Data Processors have individual documentation obligations required of their role. Under UK GDPR data processing is the responsibility of the ‘Data Controller’ within any business that deals with its own customer data. Also, the ‘Data Processor’ in a business that handle their client’s customer data.
  • Businesses that have more than 250 employees must document all their processing activities in compliance with UK GDPR guidelines.

However, there are exceptions that are limited to small or medium-sized businesses. Specifically, those with less than 250 employees only need to document processing activities that are not occasional or:

  • Could result in a risk to the rights and freedoms of individuals.
  • Involve the processing of special categories of data or criminal conviction and offence data.

Ensuring Best Practice

There are some ways in which business owners can ensure lawful compliance under regulations more easily.

For example, performing an audit or ‘data-mapping’ exercise to find out specifically what data your business or organisation holds and where it is held.

This is a good process to make sure UK GDPR is being enacted correctly as well as getting an idea of what data is held already.

Another way a business or organisation can ensure compliance is by finding out why personal data is used. Specifically, who it is shared with and how long it is kept by reviewing policies, procedures, contracts and agreements.

Finally, when documenting, organisations or businesses may benefit from maintaining records electronically. All records and/or findings should be put into writing and done so in a meaningful way.

Please see our article on Cookie Compliance.