The Data Protection Principles explained

The underlying essence of the DPA is contained in eight data protection principles (listed below). The GDPR also adopts a number of those principles. Generally-speaking, a UK business that can demonstrate compliance with the eight DPA principles is likely to comply with the six GDPR principles, but businesses should be aware of some subtle changes.

Data protection principles under the DPA

  1. Businesses must process personal data fairly and lawfully.
  2. Businesses must collect personal data only for one or more specified and lawful purposes.
  3. Businesses must ensure personal data is adequate, relevant and not excessive.
  4. Businesses must ensure personal data is accurate and kept up-to-date.
  5. Businesses shall not keep personal data for longer than is necessary.
  6. Businesses must process personal data in accordance with data subjects’ rights.
  7. Businesses must take “appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
  8. Businesses must not transfer personal data outside the EEA unless the receiving country has adequate data protection laws.

What does the DPA definition really mean?

Unless a business complies with those eight principles when it processes an individual’s personal data, the business will not be complying with the DPA. In everything a UK business does, it must refer back to these eight principles.

Data protection principles under the GDPR

  1. Businesses must process personal data fairly and in a transparent manner.
  2. Businesses must collect personal data only for one or more specified, explicit and legitimate purposes.
  3. Businesses must ensure personal data is adequate, relevant and limited to what is necessary.
  4. Businesses must ensure personal data is accurate and kept up-to-date.
  5. Businesses shall not keep personal data for longer than is necessary.
  6. Businesses must “ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

What does the GDPR definition really mean?

Unless a business complies with those six principles when it processes an individual’s personal data, then the business will not be complying with the GDPR. However, the GDPR contains a lot more detail besides these six principles, and simply complying with these principles will not be enough to demonstrate compliance with the GDPR.

What are the significant differences between the DPA and the GDPR?

The GPDR now requires businesses to process data “in a transparent manner”, so businesses will be expected to deal openly with any individuals with whom they interact.

When collecting data from individuals, businesses must explicitly state the purpose for which that data is being collected. Simply alluding to one or more potential purposes is not enough – the GDPR requires businesses to be explicit in listing those purposes and, if a purpose isn’t on the list, then the data cannot be used for this.

Under the GDPR, businesses must now take every reasonable step to correct any inaccurate personal data held by that business. Whilst this duty wasn’t actually set out in the DPA, it’s difficult to see how businesses could comply with the fourth principle of the DPA without also correcting data promptly, so there is likely to be little change in reality.

The eighth principle of the DPA has gone, although the GDPR does contain significant sections on overseas data transfers. We’ll cover these in more detail in a subsequent briefing.

Finally, under the GDPR, the business now has an additional duty – it is not enough for the business to comply with the six GDPR data principles. The business must also be able to demonstrate that it is complying.

What effect will this have on UK businesses?

Businesses will now be expected to provide individuals with more information than previously provided, particularly around the purposes for which those individuals’ data is being collected. We will cover this in more detail in a future briefing.

And businesses will now have to refer back to the six GDPR principles in everything they do. Simply complying with these six principles will not, on its own, guarantee compliance with the GDPR, but a failure to comply with any one of these principles will result in a certain breach of the GDPR.

What will my business need to do?

Our first advice would be to review and update your business’s privacy policy, which should set out much of the information that a business needs to disclose to the public. But more than that, consider where your business interfaces with individuals and, at every point where data is given by an individual to the business, identify whether the individual is clearly notified of what you are going to do with their data.

You need to ‘cleanse’ your databases, and ensure that the data your business is holding is ‘accurate’, ‘up-to-date’ and doesn’t contain unnecessary information that you don’t really need. You need to also ensure that those databases satisfy the six GDPR principles.

And determine how your business can best demonstrate compliance with the six GDPR principles. What records can you create and maintain to prove that you are ticking off every one of those requirements? Do you have an internal data protection policy?

Q&As

The eighth DPA principle has gone – do I no longer have to worry about transferring personal data overseas?
It is true that the GDPR has no equivalent principle relating to overseas data transfers, but the GDPR does contain a number of sections dealing with this issue. The transfer of data to overseas recipients is dealt with even more stringently under the GDPR so, whilst non-EEA transfers will no longer be considered as a ‘principle’, there are requirements (to be covered in a future briefing) that your business will need to satisfy.

What does ‘transparent’ mean?
The GDPR does not define the word, and there is no guidance currently available. Whilst it is understandable that businesses are expected to be ‘open’ with the individuals with whom they interact, there will undoubtedly be a line drawn to protect businesses’ confidential information. It is not yet clear on what grounds a business will be allowed to say ‘no’.

So if my business complies with the six GDPR principles, that’s enough?
No. Simply complying with the six principles will not, on its own, guarantee compliance with the GDPR, but a failure to comply with any one of these principles will result in a certain breach of the GDPR. Compliance with the six GDPR principles should be seen as the foundation for satisfying your duties under the GDPR, but there is much more besides.

Do I really have to tell my customers precisely what I’m going to do with their data?
Yes, before or at the time you collect the data from them. A vague statement that you need their data for business reasons won’t be enough – you will need to be ‘explicit’ and ‘transparent’. And if you miss a reason off that list, then you won’t be able to use that customer’s data for that missing reason.

Exactly how long can I keep data in my IT system – what is ‘no longer than necessary’?
The answer depends on a variety of things, including the type of data you are referring to. For some one-off transactions, the data should be erased immediately after the transaction completes. If you can reasonably and genuinely justify keeping the data for a certain period (eg. for as long as your customer purchases goods/services from your business), then you can retain the data for that period. Do not keep data ‘just in case’ – under the GDPR, your business will be responsible for justifying why you haven’t deleted ‘dormant’ data.

How can I demonstrate that my business is complying with these principles?
Training. Impact assessments. Policies. Privacy Notices. Appointing a data protection officer. Audits.

Your business should put a proper, detailed ‘corporate governance’ framework in place that includes appointing a data protection officer, undertaking impact assessments and audits (both of which should be undertaken regularly, and recorded in writing), and ensuring that you have policies (both internal and external) that satisfy the requirements of the GDPR. All personnel, including directors, partners, employees and consultants, should undergo training on the GDPR and how it is being implemented within your business. This is one of those areas where a paper trail is important but, on its own, is not enough – whilst you do need the paper trail to demonstrate compliance, you also need to police internal compliance to ensure the business and everyone in it is complying with the paper trail in practice. And then document that, too.

Glossary

  • Data subject means the living individual that is identified, or can be identified, from the personal data.
  • DPA means the Data Protection Act 1998, the statute that previously governed the processing of personal data in the UK.
  • EEA means the European Economic Area, consisting of all EU member states, together with Iceland, Liechtenstein and Norway.
  • GDPR means the General Data Protection Regulation, the EU law that is now in place of the Data Protection Act 1998.
  • Process means to do just about anything with personal data, eg. collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, erasing, destroying or otherwise making the data available to somebody else.

Notes

This briefing is based on the law as it stands in April 2017. It is possible (and, indeed, likely) that, before the GDPR comes into force in May 2018, the Information Commissioner’s Office will release a number of guidance notes that will help to interpret the GDPR. These guidance notes may offer additional advice for UK businesses, and may even cause some of the information in this briefing to become incorrect. As a result, this briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.