Data Protection Act 2018
The DPA determines some details of how GDPR is applied in the UK, and established data protection rules for specific types of data processing that are not covered by GDPR.
- The police and other criminal law enforcement authorities
- Immigration authorities
- Government intelligence services
The DPA grants powers to the Information Commissioners Office (ICO) so that it can regulate data processing in the UK in accordance with GDPR and the Freedom of Information Act 2000.
General Data Protection Regulation 2018
GDPR sets out the fundamental data protection principles and prohibits businesses from processing personal data without a lawful basis to do so and ensure that data is processed fairly and securely.
Any information relating to an identified or identifiable person is categorised as personal data. Even if this information does not contain the names of individuals, it will still be personal data if it is possible to work out the identity of the individual the information relates to.
Examples of personal data include:
- Date of birth
- Postal address
- IP address
- Computer Cookies
- Any anonymised identifier such as a username or account code
When the regulation refers to 'processing' data, it means any operation that is carried out using the data; such as collecting, recording, organising, storing, altering, accessing, using, sharing or destroying it.
Under GDPR businesses can only process personal data if they have one or more of the six lawful bases for doing so:
- Consent - where an individual has given explicit consent for a business to process their data for a specific purpose.
- Contract - when a business has a contract with an individual where processing personal data is necessary for the performance of the contract. This also includes pre-contract services, such as providing quotations.
- Legal Obligation - when a business is required to process personal data for statutory purposes; such as taxation, right to work checks and criminal record checks.
- Legitimate Interests - This is the broadest lawful base of the six and covers a wide range of activity from fraud prevention and IT security to certain types of marketing activity. However legitimate interests as a lawful base does not cover any marketing activities that require consent under the Privacy and Electronic Communications Regulations 2003. The legitimate interests lawful base legally requires businesses to balance their interests against the individual’s rights and the impact upon their privacy.
- Vital Interests - when processing data is necessary to save someone's life. For example, sharing medical records with hospital staff during a medical emergency.
- Public Task - when a business is exercising official authority or carrying out specific activity in the public interest laid down by law. Normally this base only applies to public authorities.
For further information on lawful bases for processing data, please see https://ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/
Privacy and Electronic Communications Regulations 2003
PECR framework ensures that businesses comply to:
- keep their communication services secure
- ensure customer privacy relating to, traffic and location data, itemised billing, line identification, directory listings etc.
The only exemptions to PECR are national security, law enforcement, or compliance with other laws.
For further guidance on PECR, please visit the ICO PECR Guide.