Data privacy is about the protection of each individual’s personal data. Any business or organisation that has information about another person must only use it in a lawful, fair and transparent way, keep it only as long as necessary and keep it secure. These obligations apply to almost every business and organisation, no matter how small or large.
Some businesses and organisations are required to appoint a Data Protection Officer to take responsibility for complying with data privacy rules.
What is personal data?
There is a specific and detailed definition of personal data. In summary, it means any information about a person by which they can be identified.
Where do data privacy rules come from?
Data privacy rules are set out in the General Data Protection Regulation (commonly referred to as the GDPR) and the Data Protection Act 2018. The GDPR is a European Union regulation which has created broadly accepted data privacy concepts. The Data Protection Act 2018 is a UK piece of legislation that slightly alters the GDPR, for example, in relation to how it applies to UK law enforcement organisations. The Data Protection Act 2018 continues to apply after the UK’s withdrawal from the European Union.
Are there any restrictions on when I can use an individual’s data?
Personal data can only be processed in certain circumstances. Processing essentially means storing or using personal data in any way. To lawfully process personal data, the individual must have provided informed consent, it is necessary under a contract, there is a legal obligation to do so, it is in the public interest or there are legitimate interests which justify the processing.
What types of personal data rights are there?
These include the right to be informed, to rectification, to erasure (often described as the right to be forgotten), to move personal data and to object.
Who needs a privacy policy?
Any business or organisation that collects personal data from an individual must provide them with certain information at the time of collection. This includes information such as the name and contact details of the business or organisation, how personal data will be processed, the lawful basis for processing, how long the personal data will be retained and what the individual’s rights are.
How can I transfer data to a third party?
This is a decision for the data controller, meaning the person who decides how an individual’s personal data are used. Whenever a data controller transfers an individual’s personal data to another person, it must be done through a data processing agreement. That agreement must contain information including in relation to what personal data are processed, for how long, in what way and the rights and obligations of the data controller.
How can I transfer personal data outside of the UK or European Union?
An individual’s personal data can only be transferred to a jurisdiction outside of the UK or the European Union if that jurisdiction provides adequate protection for personal data. If it does not, then standard contractual clauses or binding corporate rules should be used. There are specific rules for the transfer of personal data to the United States.
What penalties are there?
The Information Commissioner’s Office, which is the UK’s data privacy regulator, may impose a fine for any data privacy breaches of up to €20 million (or the equivalent value in sterling) or 4% of a business’ global revenue, whichever is higher.
Back to all guides