Uncategorized

The Core Principles of Data Protection: What the Board Should Know

Data protection is firmly in the spotlight as organisations in all sectors prepare for the implementation of the General Data Protection Regulation, and the UK’s Data Protection Bill, in May 2018. The new regulations are extensive and highly detailed, but at their core lie the key principles of data protection that act as useful starting points for board members to query their company’s framework for compliance and to identify areas of weakness.

Data protection legislation has been drafted around core principles since the Data Protection Act was implemented in 1998. Applying these principles ensures that an organisation is lawfully and ethically collecting, storing and processing the personal data of its customers, service users and employees.

The most recent legislation includes an additional requirement for accountability. This is of critical importance to boards, and an essential route to establishing accountability is to ensure that the member of staff responsible for data protection reports at the board level. When they do, they should be able to demonstrate how the organisation complies with the following core principles:

Lawfulness:

Data must be collected lawfully under one of the legal criteria specified by the legislation. These are: consent, contract, legal obligation, vital interests, public task and legitimate interests. The majority of organisations will collect data under the basis of consent, which must now be explicitly given. The days of implied consent through a data subject’s failure to uncheck a pre-ticked box are firmly over. Companies will have to show that data subjects have given full, active consent for their data to be collected and have been fully informed as to how their information might be used.

Questions for the board to ask: What is the process for ensuring that data subjects have given valid consent for us to collect, store and process their data? Is our use of data designed to be clear and transparent?

Purpose:

Data must be collected for a stated purpose, agreed upon by the data subject under the specific terms of consent, and may not be used at any point for a different purpose. An example might be a charitable organisation that circulates a petition to support one of its causes and, in the process of doing so, collects signatures and the addresses of signatories. The charity may not, at a future point, use those addresses in a fundraising campaign, unless the data subject specifically gives consent to their data being used in this way when they sign the petition.

Questions for the board to ask: Is our data catalogued so that it is clear to all users how they may use that data? Do all data users understand the limitations of the data we hold? Is there a training need?

Data minimisation:

Data that is collected must be adequate, relevant and limited to what is necessary to achieve the purpose of the data processing. Organisations must be clear that they are collecting and processing only the data that is pertinent to their operations. Collecting and processing extraneous data will put the organisation in breach of the legislation. This is a more stringent responsibility than under previous legislation and will require organisations to review the relevance of the data they collect.

Questions for the board to ask: Have we reviewed our data collection policies to ensure that we collect and process only that data that is relevant for the purpose stated under the terms of consent?

Accuracy:

It is the responsibility of the data controller to make all attempts to ensure that the data held about a subject are accurate and that inaccurate or outdated information is erased or corrected from the system without delay. This makes sense not only for the data subject, but for the data controller also – there’s no point using inaccurate data and, indeed, using such data could be harmful to the data subject.

Questions for the board to ask: Do we have the right resources and procedures in place to manage the ongoing accuracy of the data that we hold? How do we engage with data subjects to update the information we hold about them?

Data retention period:

This principle limits the length of time that personal data should be held to that necessary to carry out the processing by the terms under which the data was collected. A critical new aspect of this principle in the GDPR and the Data Protection Bill is the ‘right to be forgotten’, which gives individuals the right to request that all data relating to them is erased from an organisation’s systems. Effectively, the data controller’s right to use the data subject’s information exists only while the data subject continues to consent to its use. The data subject has the right to withdraw consent at any time and the data controller is obliged to erase all data held about the subject entirely from its systems and those of any data processing companies used by the data controller. This policy requires that organisations have robust data management systems in place.

Questions for the board to ask: Can we confidently identify all the data held about a data subject and effect a complete erasure of that data within the required timescale? What is our limitation on retaining the data we collect?

Security:

Personal data must be kept in a secure location and protected from unlawful access and processing, such as cyberattack or internal threats, and safeguarded against accidental loss or damage. This principle recognises that personal data has a commodity value to hackers and may also be put at risk through poor employee training processes or malicious employee actions. The data controller is responsible for enacting appropriate security measures and the actions that must be taken to advise data subjects if their data is accessed unlawfully are described. This includes a 72-hour timeframe within which subjects must be notified if their data has been breached in a way that has the potential to cause material harm. This stipulation recognises the fact that, in the present internet climate, data breaches are inevitable. An organisation will be judged more on how it deals with those breaches than on the fact that they have occurred in the first place.

For boards, the issue of cybersecurity is a large and ongoing challenge and data protection is just part of the wider conundrum. Boards need to understand the risks to data within their organisation and the current capabilities of their defence networks to determine what their posture will be in response to those risks.

Questions for the board to ask: Can our security systems detect and mitigate cyberattacks within the 72-hour breach notification time period? What is our response plan in the event of a material breach of our systems?

Accountability:

Organisations are now obliged to demonstrate how they comply with data protection legislation. What procedures, tools and systems are in place to show that the organisation operates within a culture of respect for individuals’ rights to privacy? The organisation is expected to implement appropriate governance measures to ensure compliance and this includes a “commitment to the aims and spirit of GDPR from the firm’s board and senior management”. The UK Information Commissioner’s office has indicated that there will be no grace period for organisations to comply with the GDPR and the Data Protection Bill, but has hinted that organisations which are transparent about their position and clearly working towards implementing data protection measures will be viewed more favourably than those which are not. This means that being able to demonstrate the actions taken towards compliance is a priority for boards as they keep on top of their organisation’s status in meeting its obligation to uphold the core principles of data protection.

Featured Blog