Data protection: legislative frameworks and key principles
Data has become one of the most valuable resources in today’s society, and users are becoming more careful about the sort of data that they share, as well as how and why their data is used. It is now a legal requirement that all businesses that handle personal data – with or without an online presence – provide privacy information to individuals about how you use their personal data (Articles 13 and 14 UK GDPR). Most organisations meet this obligation via a privacy notice/policy accessible to the people whose data they collect (online or offline). In this article, we look at the legislative framework key principles governing data protection in the UK following Brexit.
Legislative frameworks
The General Data Protection Regulation (EU) (GDPR) – EU law on data protection and privacy in the European Union – was adopted on 14 April 2016 and became enforceable on 25 May 2018. Since the GDPR is a regulation and not a directive, it had direct application in all EU member states, including (until Brexit) the United Kingdom.
Following the Brexit transition period, which ended on 31 December 2020, the GDPR ceased to have direct effect in the UK. Given the UK’s commitment to maintaining an equivalent data protection regime, the provisions of the GDPR have been incorporated directly into the laws of the UK as the UK General Data Protection Regulation (the UK GDPR) by virtue of the European Union (Withdrawal) Act 2018. In practice, there is little change to the core data protection principles, rights, and obligations between the GDPR and the UK GDPR.
The UK GDPR sits alongside and supplements the UK Data Protection Act of 2018 (DPA 2018), as amended on 1 January 2021 to reflect the UK’s status outside the EU. It sets out the Information Commissioner’s functions and powers, the key principles, rights, and obligations for most processing of personal data in the UK and separate data protection rules for law enforcement authorities. The DPA 2018 and the UK GDPR form the cornerstone of the data protection legislation in the UK.
Importantly, the GDPR may still apply to an organisation in the UK where that organisation operates in the EEA, offers goods or services to individuals in the EEA, or monitors the behaviour of individuals in the EEA. For such businesses, it is important to be aware of both UK and EU legal requirements to ensure compliance and avoid substantial fines.
Key principles
The GDPR sets out seven key principles to processing personal data:
1. Personal data should be processed fairly, lawfully and in a transparent manner in relation to the data subject. There should be legitimate grounds for processing personal data that must be justified by at least one of the grounds specified in Article 6 of the GDPR.
2. GDPR’s second principle, purpose limitation, establishes boundaries around using data for specific activities. It is stated that data should be “collected for specified, explicit, and legitimate purposes” only. This should be clearly established and communicated to individuals through a privacy notice.
3. The principle of data minimisation upholds that personal data must be adequate, relevant, and limited to what is strictly necessary in relation to the purposes for which it is processed.
4. Controllers must ensure the accuracy of the data they collect and store. The ICO recommends that reasonable steps should be taken to correct, update or erase incorrect or incomplete data stored.
5. The fifth data principle aims to limit the amount of data you collect to achieve your designated purpose: storage limitation. Any personal data must be kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. The GDPR states that you must justify your data retention periods and recommends that controllers erase or anonymise personal data when they no longer need it.
6. The GDPR requires you to maintain integrity and confidentiality of the data you collect. This should ensure the appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental, loss, destruction, or damage, using the necessary technical measures. The ICO recommends that controllers carry out an information risk assessment in order to ascertain what measures are most appropriate.
7. Lastly, the data protection principle of accountability under Article 5.2 requires controllers not to only comply with the GDPR but to demonstrate their compliance with the data protection principles under the GDPR. There should be measures and records in place as proof of compliance with the data processing principles as supervisory authorities can ask for evidence at any time. The aim of a privacy management framework is to embed accountability measures and create a culture of privacy across a controller’s organisation. The ICO published a data sharing code of practice between controllers on 17 December 2020, outlining how organisations should engage in data-sharing activities, and provides further guidance on risk management processes.
These key principles of the GDPR embody the spirit of the general data protection regime and there are very limited exceptions to deviate. Compliance with the key principles is therefore a fundamental ground of good data protection practice. Failure to comply with these principles may expose you to substantial fines. Infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines thus compliance with the detailed provisions of the UK GDPR is essential.
Our insights, articles and guides do not, and are not intended to, constitute legal advice or be an exhaustive review of all legal developments. Although every effort is made to ensure that the information provided in this article is accurate as of the publication date, please be aware that this area of law may be subject to change. Please seek legal advice before applying the information provided to any specific circumstances, transactions or legal issues.