Week 9 Law

avatar
Created by
Zac Bellotti

Cards (23)

  • Data
    Vast quantities of information collected by companies through their operation
  • Types of data collected by companies

    • Customer data
    • Employee data
    • Supplier data
    • Production data
    • Intellectual property
  • Data Protection Act 2018

    Governs the use of personal information and impacts on how information systems are used by businesses
  • General Data Protection Regulation (GDPR)
    An example of EU law being written into UK law, implemented by the Data Protection Act 2018
  • GDPR
    Extends Data Protection into areas not covered by GDPR, and provides for the Information Commissioners Office (ICO) as regulator
  • What happened after Brexit
    1. UK Government passed legislation (Personal Data Protection, Privacy & Electronic Communications (Amendment etc) (EU Exit) Regulations 2019) to "retain" the vast majority of the GDPR to create the "UKGDPR" from the end of the Transition period
    2. All basic obligations, rights and principles remain pretty much the same
    3. The European Union has formally recognised the UK's high data protection standards (June 2021)
    4. The UK GDPR works in tandem with the UK's Data Protection Act 2018, which contained UK-specific tailored provisions on implementation
  • UK General Data Protection Regulations (GDPR)

    Governs any personal data
  • Personal data

    Any information relating to an identified or identifiable natural person
  • Examples of personal data

    • Name, addresses, email addresses, telephone numbers
    • Family details
    • Health and Medical History
    • Information about lifestyle and hobbies
    • Details of education and training
    • Employment data
    • Financial information
  • Principles of UK GDPR

    • Lawfulness, fairness and transparency
    • Purpose limitation
    • Data minimisation
    • Accuracy
    • Storage limitation
    • Security
    • Accountability
  • Lawfulness, fairness and transparency

    The need to have a lawful basis for processing personal data and to be open with data subjects about how it will be used
  • Lawful basis for processing personal data

    • Consent: clear and for specific purpose
    • Contract: necessary for a contract with the individual
    • Legal obligation: necessary for compliance with a law
    • Vital interests: necessary to protect a life
    • Public task: in public interest/official function
    • Legitimate interest: necessary for yours or a third party's legitimate interest
  • Purpose limitation

    The requirement to specify at the outset the purpose and the processing and safeguards to prevent the use of the data for other purposes without consent
  • Data minimisation

    To ensure the data is adequate, relevant and limited to what is necessary for the processing
  • Accuracy
    That the data is up to date and kept that way
  • Storage limitation

    The data should only be kept for as long as is necessary, and disposed of according to a set schedule
  • Security

    Requires that data is held in conditions where 'appropriate and technical organisational measures' are in place
  • Accountability
    The need to evidence compliance and take responsibility for processing data in line with the law
  • Individual rights under UK GDPR

    • The right to be informed: the provision of clear privacy information at the point of collection
    • The right of access: the data subjects right to obtain a copy of any personal data held in a timely manner
    • The right to rectification: the right to have data corrected or completed
    • The right to erasure: the qualified right to have personal data permanently destroyed
    • The right to restrict processing: the qualified right to have processing of personal data limited or stopped altogether
    • The right to data profitability: the right to have a copy of the data in a transferrable format
    • The right to object: the qualified right to have data processing stopped in certain circumstances
    • Rights in relation to automated decision marking and profiling: rights around the use of profiling and the right to challenge automated decision making
  • Information Commissioners Office (ICO)

    The UK data regulator
  • Data Protection Officer (DPO)

    Certain entities must appoint a DPO (public authority or body, or where your core activities require large scale regular and systematic monitoring or individuals or large-scale processing of special categories of data or data relating to criminal convictions or offences)
  • Duty to report a breach to ICO

    Organisations should consider if a breach poses a risk to people, including the likelihood and severity of he risk to people's rights. If this assessment finds that it is likely that there will be a risk, you must report to ICO. Time limit to report a notifiable breach: 72 hours.
  • Sanctions
    Monetary penalties, enforcement notices, prosecutions, and undertakings. Highest fines are 20m Euros or 4% of total annual worldwide turnover in preceding year (whichever is the higher).