The Data Protection Act 2018 (the “DPA”) is interpreted alongside the UK General Data Protection Regulation (the ‘UK GDPR’) which came into force on 01 January 2021. The DPA 2018 came into effect on 25 May 2018 and it placed additional legal responsibilities on organisations that keep, store or process data.
COVID- 19 has meant that many businesses and organisations have had to invest and use online facilities e.g. websites, ecommerce platforms and social media in order to operate. This has meant that data is being obtained and stored at an increasing rate. Therefore, it is imperative that organisations comply with the 7 principles stated in Article 5(1) of the UK GDPR.
For the purpose of this article, a data user will mean an individual/ corporate entity that acquires or controls the data or another and a data subject is an individual/ corporate entity whose data is used in any way by another.
The Principles of Article 5
Article 5 states that data controllers and processors need to ensure that the act in accordance with the following 7 principles:
- Lawfulness, fairness and transparency – This requires for data to be processed in accordance to the law and the individual/ corporate entity whose data is collected is aware of what data is being collected about them. The notion of ‘fairness’ is more subjective. However, this is taken to generally mean that data should only be handled in the way that the data subject would expect the data controller/ processor to do so. This will be closely linked to the reason the data controller/ processor has given to obtain/ store the data.
- Purpose limitation – This requirement prevents organisations for collecting data for the sake of it. The data user must state in their privacy notice why they are retaining data and the purpose that it will be used for. The data user can only use the data for the new purpose if it is compatible with the old.
- Data minimization – This requires that the data being processed is adequate, relevant and limited to what is necessary. This means that it has to be sufficient to fulfil the purpose of why it is being collected, links to the stated purpose in the data user’s privacy notice and only the necessary data is collected.
- Accuracy – This requires that all data kept by the data user is kept accurate and does not mislead as to the facts of its contents. Furthermore, the data user is obliged to consider any challenges to the accuracy of the data it holds.
- Storage limitation – This sets an obligation on the data user to monitor the data it stores. In relation to this, the following needs to be considered:
- How long the personal data should be kept?
- Has the data been kept in line with the standard retention policy of the data user?
- Any challenges received to the data retention?
- Is data being held longer than it needs to (subject to public interest archiving, historical, scientific and research purposes)?
- Is the data user regularly reviewing the data it holds to see if it is still necessary?
- Integrity and confidentiality (security) – This places an obligation on the data user to ensure that they employ the relevant processes, systems and safeguards to keep the data it holds and processed secure. It seems that the more sensitive the information obtained, the more onerous this obligation becomes. Compliance under these principles means conducting regular risk assessment of existing processes and testing of safeguarding measures.
- Accountability principle – This requires the data user to demonstrate its compliance with data protection. Examples of this can include staff training and investment into data security software, having written contracts in place with entities that process data on the data user’s behalf and appointing a data officer.
In light of the above, one can see that data protection needs to be a key consideration for any business regardless of size. As the Information Commissioner’s Office can implement penalties of up to £500,000.00, it is always prudent to ask a solicitor to review your terms and condition, your processes and data storage facilities to see if you are compliant.
If you have any questions regarding this article please feel free to contact a member of the Lawdit Team on 02380235979.