The principles of the Data Protection Act 2018: a guide
For most of us, the mere mention of the GDPR stirs memories of those hazy few weeks in early summer 2018 - where corporate panic and media scaremongering filled inboxes far and wide with permission-seeking emails and hastily updated privacy policies. With mass confusion over what lay beyond the looming deadline, what is in fact a progressive, forward-thinking step ended up feeling like a sort of Millennium bug mark II.
From this viewpoint, it’s easy to see the GDPR - and with it, the UK’s Data Protection Act 2018 - as a bewildering mass of red tape and suffocating regulation that your organisation must wade through before it can get on with business. However, when broken down into its seven principles, it becomes a roadmap for successful data handling - a how-to rather than a how-not-to that will benefit you and your customers and renew trust on both sides.
The seven principles are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
While they read like a finger-wagging checklist of ways to keep your reputation polished and avoid eye-watering fines, sorting each one will unlock a future where your organisation can use data confidently without fearing a visit from the ICO.
In recent years - with increasingly weary attitudes on both sides - the back-and-forth of data protection has become an almost insurmountable hurdle. Customers have become distrusting and reluctant to hand over data, while businesses throw their hands up in despair over a painful obligation they never really understood in the first place.
The EU has intervened via the GDPR before this stalemate becomes irreversible. It’s intended not to make the situation more difficult but to hit reset and offer a more optimistic future. It recognises the lack of trust and clarity that has grown around data protection and sets out seven clear ways to move past it. Getting the principles right is a short-term investment of money, time and effort that will allow your business to stop worrying about data in the long term.
We’re on the cusp of a new era, with the kinds of technologies that looked unbelievable in 90s sci-fi movies becoming an everyday reality. With the internet of things revolutionising our homes and data portability making consumers’ lives simpler, data is leading the charge. The GDPR is a toolkit for what lies ahead - and getting on top of data protection will free your business to innovate.
1. Lawfulness, fairness and transparency
Is your data processing lawful? While this seems like the GDPR’s million-dollar question - and the one that strikes the most fear into the heart of a business - it’s a relatively simple one and will lay a clear path towards meeting the other principles.
The first thing to establish is that as an EU directive, the GDPR’s approach to law doesn’t necessarily match ours. In the UK, we are used to things being legal unless they’re banned; under EU law, things are only legal if they’re expressly permitted. This difference should inform your approach to data protection - it encourages erring on the side of caution.
There are six valid grounds for lawful data processing - known as the lawful bases - so make sure each and every piece of data you process meets one:
- Clear consent. While there are clear ways to obtain it, ask yourself if the consent is specific enough. Using existing data for new purposes is a minefield, with our statistics showing that up to 90% of former customers will withhold new permissions, and 54% will agree to their data being processed for just one activity. Just because you’ve got it, don’t use it if there’s any doubt the customer wants it to be used.
- Contractual need. Signing up for a gym membership is going to be impossible without contact information or bank details. If you can’t perform the exact service the customer has requested without processing a piece of their data, then you’ve got a lawful basis.
- Legal obligation. There’s no way HMRC could process an individual’s tax codes without certain financial information. This basis doesn’t rely directly on consent - and while it might only apply to certain companies who fulfil legal obligations by the nature of what they do, it still counts.
- Vital interest. This basis won’t be most companies’ first port of call - after all, it only applies when failure to process an individual’s data would endanger their life. If someone collapses in the street, an ambulance crew might need to access their medical records before performing CPR.
- Public interest. Local authorities and government bodies might process pieces of data in performing tasks like transport surveys, traffic counts or even investigations. If the task is clearly rooted in law then this basis applies.
- Legitimate interest. If your company is undertaking data processing that can be considered a ‘normal’ part of day-to-day business, such as an audit, there’s no reason why it shouldn’t have a lawful basis. However, any individual can object to this kind of processing.
Establish one of these bases before you process any piece of data. Don’t retrofit the basis or change it later. It’s also important to make sure that your lawful processing isn’t unlawful in some other sense - like breaching copyright.
As far as fairness is concerned, it’s no good having consent and a lawful basis if your data processing isn’t in the individual’s best interests. Don’t just consider how you process their data, but whether you should at all - the GDPR states that processing must not be “misleading, detrimental or unexpected”.
The last of these hit the news recently, when a man spotted his own amputated leg being used to illustrate the dangers of smoking. The cigarette company had taken his image from a database. Not only did they fail to acknowledge that his injury wasn’t smoking-related, but they used it specifically to provoke disgust without sparing a thought for how this usage might impact him. All this was done on the assumption that cropping out his face would provide anonymity. An individual’s body is their data, and it’s never anonymous.
An emphasis on transparency is one of the main elements of the GDPR that sets it apart from previous regulations like the Data Protection Act 1998. Lifting the bonnet and letting people see inside will future-proof data processing and distance it from what is often perceived as a regrettably murky past. It’s more important than ever to uphold an individual’s right to be informed - be clear, honest and open about what you’re up to, before anyone enters into a data-sharing relationship with you.
Practically speaking, there are three main ways to achieve transparency:
- Always make clear the categories of data that you intend to process, and how they will be processed
- Spell out the individual’s rights in full as part of your privacy notice
- Keep your doors open. Make sure you provide clear contact information so that they can query the use of their data at any time
Be certain that your data processing is lawful, fair and transparent - not lawful, fair or transparent. Fulfilling all three criteria will set you on the right track before even considering the other principles.
2. Purpose limitation
Are you doing what your customers think you’re doing? This consideration doesn’t always come naturally to companies - it’s tempting to think of creative or economical new ways to use the data you’ve got.
Spanish football league La Liga recently got into hot water (and landed itself a €250,000 fine) over its app. The app requested users’ permission to access their microphones and location data - nothing unusual there, but then La Liga officials decided to use this data to listen in on bars that were showing their games illegally.
On a larger and more sinister scale, Cambridge Analytica’s reported use of seemingly innocuous Facebook quizzes for mass data harvesting represents a gaping disconnect between what individuals thought their data was being used for (personality profiling) and the purpose it was actually serving (political targeting).
If you’re using existing data for a new purpose, make sure you’ve met one of the following criteria before processing it:
- Clear compatibility with the original purpose. What was the data collected for in the first place, and what impact will a new purpose have on the individual?
- Separate and specific consent. You’ve obtained it once already, but this doesn’t mean you don’t have to obtain it again.
- Clear basis in law. Is your new process legally required or in the public interest?
The data you’ve already got can’t serve a new purpose merely on the basis of a clever idea - just because you could, that doesn’t mean that you can.
Purpose limitation might demand a change in mindset, but it will help to ensure transparency, fairness and accountability - all of which are good news for your company’s reputation.
3. Data minimisation
Why use a fishing rod when you can throw out a net? This question might be pause for thought on a boat trip, but if you’re taking the same approach to data collection and processing then it’s time for a rethink. Make sure the data you collect is “adequate, relevant and not excessive” by figuring out exactly what you’ll need (and what you won’t) before going any further.
By the time the GDPR came in, major tech companies had already found themselves in trouble for excessive data collection. Microsoft was ordered under French law to stop collecting excessive data on users’ internet browsing back in 2016. However, companies of any size can fall foul of over-collection - so keep tabs on what you’re collecting and why. Obtain the bare minimum of data and only do it for an immediate purpose - not because it might come in handy down the line. Of course, downstream purposes like handling audits and complaints aren’t the same as just hanging on for the sake of it - so these are acceptable.
The data minimisation principle applies not only to data collection but to data sharing. Your purposes might not be the same as those of a third party you share data with, so keep a lid on anything that might not be relevant. If you were using an external email provider and sent them a spreadsheet with all the contact details of your customers, this would be more information than they needed.
It’s also important not to underestimate what data you need. Small amounts that are insufficient for purpose should be avoided - so when putting together any type of form or questionnaire, make sure it fully serves its purpose. Any data that doesn’t - whether too much or too little - shouldn’t be collected at all.
You need to be able to demonstrate data minimisation practices as part of being accountable, and it’s advisable to check regularly and delete anything that’s no longer needed.
This is a less clear-cut issue than it might seem. While you’d be right to think it’s often obvious when data is inaccurate (like contact details that no longer work), the question of accuracy comes with a lot of baggage. For many years pre-GDPR, data processing was a wild west in which any and all data - no matter whether it was a correct or relevant reflection of an individual - could be stored to build up a profile, at least half of which was completely inaccurate.
The GDPR does not define “accurate”, but it does define “inaccurate” as “anything incorrect or misleading” and encourages regular monitoring and deletion of inaccurate data. How often you do this should depend on the data’s purpose - there are cases in which it’s not necessary to constantly check. A phone number kept as an emergency contact should always be kept accurate, but an email address once used to send a receipt can reasonably go out of date.
The accuracy principle gets more complicated when it comes to data which might be inaccurate by its nature. For example, records might need to be kept of individuals’ opinions even though these are no longer representative. As long as this data is clearly labelled as such then it is accurate.
It’s important not to make any assumptions about data accuracy. Ask yourself how accurate you need to keep data - and, given its level of accuracy, whether or not you can use it.
5. Storage limitation
It’s too easy to store data. These days we carry many thousands of times more computer memory in our pockets than NASA needed to put a man on the moon in 1969. Not so long ago a terabyte was an unfathomably large unit of storage; today a smartphone can hold it.
This not only breeds sheer carelessness, but creates a tendency to keep hold of data just in case it proves useful later. It’s a new problem, as no one in the not-so-distant past of paper records and filing cabinets would have held onto anything unnecessarily.
The GDPR’s standpoint on storage limitation is that data relating to the past shouldn’t stick around if it doesn’t need to - an individual should, within reason, be able to get away from it. Music tastes are an example - if you went through a Nickelback phase ten years ago and Spotify is still serving you playlists that reflect this, then it’s been storing your data unnecessarily.
However, storage limitation doesn’t only cover data that was relevant in the past. FaceApp has recently come under scrutiny over whether it is storing users’ images without permission - the latest in a string of cases where high-profile tech companies have had to explain their storage limitation processes.
Storage limitation also raises the question of when deletion, or in some cases anonymisation, is necessary. You should be able to justify why you are keeping individuals’ data in an identifiable form for any length of time, and consider the impact of data retention periods on individuals’ privacy.
Make sure you keep storage limitation under constant review. Monitor not only the data itself, but the retention periods and whether they’re still fit for purpose. The key test for whether you’re storing data effectively is this - imagine that somebody asks if you can delete their data. You should always be able to justifiably answer “no”. If the answer is “yes”, why do you have it at all?
6. Integrity and confidentiality
What have your customers consented to, and when did they consent to it? If you can answer these two questions clearly, then you’re well on your way to data integrity - it’s as much about meeting the other six principles as it is upholding customer’s rights. Data integrity is one of the main purposes of the GDPR, and its primary aim is to restore your own confidence in your data.
As far as confidentiality is concerned, there are several big considerations to be made - it’s much more than just keeping hackers out. Ask yourself whether your data is inappropriately accessible, or whether it’s only possible to access it when it’s genuinely needed. This is an area where the ICO is very publicly cracking down but it’s far from exclusive to huge corporations and multi-million pound fines. Data confidentiality should run through any company like a stick of rock, from the smallest to the biggest and at every level.
The need to keep data from being accessed when it should applies as much to your employees as to external forces. Nosiness or boredom might not be the most sinister motives - but they are no less serious - last year a GP’s secretary was fined for accessing the medical records of friends, colleagues and family members.
Never assume that because you run a small company and not a major corporation, hackers aren’t going to be interested in your data. An £80,000 fine was recently imposed on an estate agency for failing to secure its customers’ data over a two-year period. While a fine of that size might be enough to persuade you into extra vigilance, the most shocking thing about this story is that the data in question was accessed not once or twice, but half a million times. Hackers use indiscriminate software to sniff out any insecure data, no matter where or what it is.
Confidentiality also applies to physical security measures - are you disposing of paper properly and locking office doors tightly? These may seem obvious, but take the same approach to data security right across your business - online and offline - and you’ll avoid being the ICO’s next cautionary tale.
It’s all very well following the other six principles, but can you prove that you’re doing it? A huge focus on accountability is another new feature of the GDPR - so it’s important to be accountable both to regulators and to the individuals whose data you’re processing. It will aid transparency and it makes good business sense - bolstering your company’s reputation for honesty and integrity, and helping protect you from legal action in the event of a breach.
Making sure you’ve got the following in place will help establish a clear track record that proves you’ve done your job:
- Internal data protection policies. These need to be specific to each category of data that you’re processing, and reviewed regularly.
- Written contracts. These need to be established with any external companies who process data on your behalf, so they understand their and your responsibilities.
- Documentation of all policies. Make sure you record any data breaches too, big or small, as certain categories need to be reported to the ICO.
- A data protection officer. Whoever you choose will need to perform training, monitoring and frequent audits.
- Data protection impact assessments. These identify and minimise risk to individuals, and help to keep a record of all decisions.
A culture of accountability is the big aim here - make it the core of your company’s data processing policy, rather than just one part of it.
Data protection “by design and default” is a phrase used by the GDPR that can sound like going back to the drawing board. Knowing that this is where British Airways fell down makes it a particularly daunting thought - but all it means is making sure you’ve got adequate protection in place across new and existing systems.
View all our Privacy by Design services and solutions