The idea of protecting your personal information in the past rarely extended past shredding and proper disposal. The world is now undergoing an incredible metamorphosis due to the advancements in technology. Unfortunately, despite the great things we have accomplished, it’s not all sunshine and rainbows for what we got. Technological advancement is allowing criminals and businesses to use your online data for nefarious purposes. We now have legislation to help protect us in the form of the Data Protection Act 2018, but it’s not always a guarantee of success. The world is now in a digital arms race between advertisers, criminals and the everyday person.
If you need a contemporary example of why data protection is important, take a look into the case of the Equifax Hack. The well-known US credit bureau suffered a cyberattack in 2017 due to insecure network design, which led to the information of over 150 Million people being stolen. Bear in mind, we’re not talking about your local bank here either, Equifax is a massive corporation that did over $3.5 Billion in revenue in 2019. This shows the seriousness of the current landscape and why more adequate data protection legislation was required.
What Is The Data Protection Act 2018?
The Data Protection Act 2018 is the overriding legislation on data protection with the UK. It was brought into effect to give law-enforcing power to the government in the form of the EU’s General Data Protection Regulation standards. This law was implemented as the UK was still a member of the EU at the time of the regulation being enforced across the bloc. Despite this, the GDPR does not provide the full scope for the DPA 2018. Down below is some information on the various sections of the act and what it deals with.
- Grants definitions and provisions of ‘personal data’.
- Defines that most data processing is applicable to ‘GDPR’.
- Supplements the Act where GPDR does not apply.
- Provisions for the processing of personal information by law enforcement.
- Basis for the processing of personal information by intelligence services.
- Explaination for the rights and role of the ICO.
- Provisioning for the enforcement of the law.
- Supplementary Provisions to the law.
Please bear in mind that this article does not seek to form the basis for any legal advice. If you have any specific questions about the DPA 2018, you should refer your question to a qualified legal professional. Ideally, one that specialises in data protection law.
Why Was The Data Protection Act 2018 Created?
The Data Protection Act 2018 was brought into effect so that the UK government could apply the GDPR to UK law. Additionally, the need for the DPA 2018 was necessitated by the fact that the previous legislation was outdated. For example, under the old regulations, the maximum applicable fine for breaching the law was £500,000. Now under the renewed legislation, the ICO can levy fines of up to £17.5 Million, or 4% of the previous year’s global turnover, whichever is higher. These fines act as a much bigger deterrent for companies to act illegally.
It was also needed to institute more effective digital rights for the public. Under the DPA 2018, data subjects enjoy much more concrete and useful rights in terms of their personal data. For example, individuals now have the right to have their data erased by a data controller. Additionally, data subjects now have the right to make a ‘Subject Access Request’. This allows them to see any personal data that a company or other organisations holds on them. This wasn’t the case before, at least not realistically. That shows the need for a robust data protection framework in the advancing digital world.
What Rights Do Data Subjects Have?
As was previously mentioned in the last section, the new (not so new) laws have implemented a number of different rights for data subjects. These being, people that are having and have had their personal information processed by your company. A brief insight into these various rights can be found below.
Right To Rectification
Data subjects have the right to have any incorrect personal data that is held on them corrected. This rectification could be for the fact that the data is incomplete or wrong. In the event that a request for rectification is made, you will have to make the rectifications within one month of the request being made.
The Right of Erasure
Data subjects have the right to erasure, also known as the ‘right to be forgotten’. When a data subject makes a request to have their data erased from your systems verbally or in writing, you have one month to respond to the request. You do not always have to comply with the request, but you should always keep track of your legal standing.
The Right To Restrict Data Processing
Data subjects have the right to restrict processing, which is the means that the processing of data is restricted. What this means in English is that you would be permitted to use the data, but you wouldn’t be permitted to make use of it. You have one month to respond to such a request, although in certain circumstances, you don’t have to comply.
The Right To Data Portability
Data subjects have the right to obtain and reuse their own personal data for their own use in different services. This means the data needs to be able to be effectively transferred to another IT medium. This right is only applicable to information that the user has given to your company as the data controller themselves.
The Right To Object To Processing
Data subjects have the right to object to the processing of their personal data. This means that you are not going to be able to make use of the data or store it, this particularly applies in the circumstances of direct marketing. Once a request has been made, you have one month to respond to the individual.
The Right Not To Be Subject To Decisions Based On Automatic Processing
Data subjects have the right to not have significant decisions made about them through automatic processing, without a human element. The only circumstance where this does not apply is when automatic processing is required by law.
Who Is The Governing Body For Data Protection In The UK?
The governing body for data protection within the UK is the Information Commissioner’s Office or ICO for short. This is a non-departmental government body that reports directly to the UK government and forms the primary regulatory authority on data protection and information issues. It was founded in the UK as the Data Protection Registrar and is currently headed up by the Information Commissioner herself, Elizabeth Denham. She has sat in the post since July 2016. They are known for having pursued enforcement action against a range of large companies like Sony and Uber. They are the ones you don’t want to fall afoul of.
You can get in touch with the ICO by contacting them on their main office line 0303-123-1113. On their website, you can find a wealth of resources on data protection within the UK. This information will be incredibly useful for you, whether you’re a business or a consumer. You can also make reports to the ICO about any information concerns and complaints. It should be noted that there may be a delay with the ICO getting back to you due to the COVID-19 pandemic. Make sure you comply and keep yourself up to date with the latest developments in UK data protection by using their resources.
The Impacts Of The Data Protection Act 2018 On Your Business
Now that we have an understanding of exactly what the DPA 2018 is for and how it works, we can look into the impacts on your business. Of course, the main problem is that of marketing, however, there are still other considerations to be aware of.
Cold Calling
Cold calling in of itself isn’t impacted by the DPA 2018, you can still cold call to generate new business. Despite this, you will have to govern yourself with the DPA 2018 in mind with regards to how you’re using the data to cold call. For instance, if you are simply dialling a list of business landline numbers that are CTPS compliant, then you’re not likely to have any issues. Alternatively, if you are dialling individuals and are using their personal phone numbers, you will need to have explicit consent to use that information for cold calling purposes. There is some flexibility in B2B with legitimate interest.
If you work in the B2C market, then you have to be particularly careful with consent. The reason for the processing of a subject’s data needs to be clear and the consent itself must be clear. Additionally, you have to make it easy for that consent to be withdrawn by the subject. This can be achieved through the use of follow up emails to phone calls that give the customer the option to opt-out of consent.
Email Marketing
Of course, sending a marketing email is going to fall under the GDPR unless you’re sending out messages to standard info email addresses. This means that once again, consent is your friend with email marketing. This means that as with cold calling, the consent needs to be clear from the customer themselves that they want to receive marketing communications. Additionally, consent needs to be provided specifically, whilst being easy to withdraw. You should include an option to withdraw from marketing communications within the emails that you send. When working with data protection, it is always better to be safe than sorry.
Data Protection Act 2018: Data Breaches
In the United Kingdom, data breaches need to be reported to the ICO within 72-hours of the breach being discovered. This is when the breach can constitute a high-risk to the rights and freedoms of individuals in the UK. Failing to report such a breach can result in serious penalties for you and your business. This can take the form of a fine of up to £8.7 Million or 2% of global annual turnover, whichever is higher. Due to the potential severity of breaches in terms of penalties and lost consumer trust, it pays to have robust breach detection measures and a consistent reporting arm for the ICO.
Registering With The ICO
Every organisation, including sole traders, have a responsibility to comply with ICO rules regarding registration. This takes the form of an annual ‘data protection fee’ that is collected by the ICO from any business that processes personal information. These fees can range from £40, £60 and £2,900. There are some exemptions to these rules, so your best bet is to do the self-assessment on the ICO website and see what they suggest. Charities of all sizes are only expected to pay £40. Then, you will be given an ICO registration number and your business will be covered to process personal data, lawfully.
Conclusion
In closing, it can be seen that the DPA 2018 was a very progressive step forward in data protection. We largely have the EU to thank for that and it is likely that the DPA 2018 will mirror elements of the GDPR for a long time yet. It was found that existing legislation relating to data protection was outdated and unfit for purpose. This created the necessity for a new framework based on data protection that puts data subjects back in control. This is achieved through the provision of new rights for data subjects that give them power over their information.
The change in the law had a massive impact on businesses that still applies right now. It’s made so that companies need to make better efforts to be ethical with their lead generation and overall marketing practices. The provisioning of new powers of enforcement to the ICO also elevates the risk factor for businesses that fail to comply with the law. If you’ve found this guide helpful, please leave a comment down below about what you’ve learned. Feel free to share this article with anyone who may find it useful.