Data Protection

Data protection is the process of keeping personal information secure by design, by ensuring that appropriate technical and organisational measures are adopted by businesses to protect such data. It involves ensuring compliance with applicable data protection legislation such as GDPR, the Data Protection Act and the PECR. 

Increased regulatory and commercial pressure also means that businesses are obliged to prioritise data protection within their organisations. It should be at the very heart of their business. Data protection does not just extend to complying with the law, but adopting best practices throughout your organisation, should also give you a competitive advantage. Any business that is seen to have robust procedures in place for data protection, will give confidence to its consumers and clients. We 

Businesses of every size need a plan for continuous data protection. We recognise that many businesses will already have good IT systems in place to protect against ransomware and cyber threats and safeguard data generally. A good data protection strategy ensures data can be restored quickly after any corruption or loss. However, the implementation of a good data protection framework incorporating data management, key policies and procedures will promote good practice and compliance with the data protection laws. These policies are both internal and external facing and can offer reassurance to third parties that you are compliant with data protection laws. 

The importance of data protection increases as businesses increasingly rely on the use of data which is created and stored. The key principles of GDPR are to safeguard the data and make it available under all circumstances. 

The implementation of GDPR in 2018 caused furore because it placed greater emphasis on not only data protection, but the need for businesses to be more aware of their own requirements to protect data.

However, the purpose of GDPR and other data protection laws such as the Data Protection Act 2018 is to establish a framework which sets out what should be done to make sure that everyone’s data is used properly and fairly. Failure to comply with the applicable laws can have serious consequences including monetary fines or even prison sentences. The reputational damage and fallout from a data breach can also be devastating, so data protection is not just a legal requirement, but crucial to protecting and maintaining your business. 

A personal data breach is a breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It is not just limited to personal information and can include the following types of data breaches:

• access by unauthorised third parties
• deliberate or accidental loss or damage by either a data controller or a data processor
• accidental dissemination to a third party (i.e., sending by email to the wrong email address)
• lost devices containing personal data etc. 

A data breach can be accidental or unlawful.

Examples of types of data breaches are:

• ransomware
• theft of information
• phishing
• malware
• breach of passwords
• email compromises
• employee mistakes / negligence
• application and software vulnerabilities

The original data protection act 1988 was developed to control how personal data is used by businesses or government bodies. This has since been replaced by the Data Protection Act 2018 which provides a modern and comprehensive framework for data protection in the UK and applies the EU GDPR.

The main elements of the DPA are:

• The implementation of GDPR standards across all data processing in the UK
• An overview of the definitions used in GDPR in the context of the UK
• Ensures that sensitive health information, social care and education data can continue to be processed whilst ensuring that it is safeguarded
• Provides restrictions on rights to access and delete data where there is a strong public policy justification, including for national security purposes
• Age of consent reduced to 13

In addition, the DPA also provides a regime for law enforcement, regulatory and intelligent services.

The DPA offers a further data protection system and modifies aspects of GDPR to make it work in the UK. 

The DPA differs from GDPR, but both are enshrined in the UK as our main data protection laws.

Whilst there are some differences between the two pieces of legislation, the DPA is the UK’s implementation of the General Data Protection Regulation (GDPR), now known as UK GDPR.

Which law overrides the other, would be very much fact dependent and in all likelihood, would not matter. Both laws are designed to work in the UK and apply to businesses and all types of data processing, to provide robust protection. 

The territorial scope is for all organisations processing personal data whether as a controller or processor in the United Kingdom, regardless of whether the processing takes place in the United Kingdom or not.