Data Protection & GDPR FAQs

Home → Data Protection Solicitors → Data Protection & GDPR FAQs

[xyz-ihs snippet=”data-protection-faq”]

GDPR is extending the scope of what is considered to be personal data by, for example, including IP addresses to fall within the definition.

This means that most businesses hold personal data. The list of ways personal data can be held is not exhaustive and is not simply restricted to names, telephone contact details and addresses of individuals but commonly include such things as email addresses and emails, letters, voice recording and even CCTV footage. Anything which could be used to identify a person is personal data.

Anybody who holds, controls or processes personal data will have to comply with Data Protection rules known as the data protection principles which include provisions that any personal data must be:

• Processed fairly and lawfully (fair and lawful)
• Obtained only for a specified and lawful purpose, and shall not be further processed in any manner incompatible with that purpose (purposes)
• Adequate, relevant and not excessive in relation to the purpose (adequacy)
• Accurate and kept up to date (accuracy)
• Not kept for longer than is necessary for the purpose it is held (retention)

The person to whom the personal information relates is known as the Data Subject and the DPA allows for any Data Subject to request from any Data Controller details of the data held. This is known as a Subject Access Request.

GDPR is changing the procedures for Subject Access Requests and providing Data Subjects with more rights including the right to remove consent for data to be held and the right for data to be removed.

The Information Commissioners Office (ICO) is responsible to regulating and enforcing data protection laws which includes ensuring that personal data is not unlawfully kept, used, altered or destroyed. The ICO uses a range of powers including the power to request information (an Information Notice) or investigate and prosecute for breaches of data protection.

If you are contacted by the ICO in relation to the information you hold or you wish to make a Subject Access Request and haven’t spoken to a lawyer yet we recommend you doing so. Call our data protection team today for a confidential initial telephone conversation, completely free and with no obligation for the future.

2. What is personal data?

Personal data is basically anything which can identify you. This means that most businesses hold personal data. The list of ways personal data can be held is not exhaustive and is not simply restricted to names, telephone contact details and addresses of individuals but commonly include such things as email addresses and emails, letters, voice recording and even CCTV footage. Anything which could be used to identify a person is personal data.

The current definition of personal data also includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

In the event that an individual can be identified partly on the data held and partly on other information (not necessarily data), the law states that the data held will be personal data.
Data protection laws are being enhanced in 2018 when the General Data Protection Regulations (GDPR) come into force. These are being incorporated into UK law by the Data Protection Bill which will come into force over the next weeks/ months.

GDPR is extending the scope of what is considered to be personal data by, for example, including IP addresses to fall within the definition.

If you are contacted by the ICO in relation to the information you hold and haven’t spoken to a lawyer yet we recommend you doing so. Call our data protection team today for a confidential initial telephone conversation, completely free and with no obligation for the future.

3. Who can hold my personal data?

Any individual, business or public body can hold personal data of others as long as it complies with Data Protection rules known as the data protection principles which include provisions that any personal data must be:

• Processed fairly and lawfully (fair and lawful)
• Obtained only for a specified and lawful purpose, and shall not be further processed in any manner incompatible with that purpose (purposes)
• Adequate, relevant and not excessive in relation to the purpose (adequacy)
• Accurate and kept up to date (accuracy)
• Not kept for longer than is necessary for the purpose it is held (retention)

Data protection laws are being enhanced in 2018 when the General Data Protection Regulations (GDPR) come into force. These are being incorporated into UK law by the Data Protection Bill which will come into force over the next weeks/ months.

GDPR and the Data Protection Bill now gives the Data Subject more rights such as the right to remove consent for their data to be held and the right to have the data erased (the right to be forgotten)

An application for a Subject Access Request (SAR) can be made to a specific business or organisation to find out what personal information it holds in its records or processes about you.

If you wish to make a Subject Access Request call our data protection team today for a confidential initial telephone conversation, completely free and with no obligation for the future.

4. How can personal data be held and for how long?

The law does not require that personal data be kept in any particular format and so personal data can be held in a variety of ways. If data is deemed to be personal data, irrespective of the way in which it is recorded, the law requires that it can only be held in so far as the data protection principles are fully complied with. These include provisions that any personal data must be:

• Processed fairly and lawfully (fair and lawful)
• Obtained only for a specified and lawful purpose, and shall not be further processed in any manner incompatible with that purpose (purposes)
• Adequate, relevant and not excessive in relation to the purpose (adequacy)
• Accurate and kept up to date (accuracy)
• Not kept for longer than is necessary for the purpose it is held (retention)

There is therefore no specific legal time limit for the holding of personal data but it becomes unlawful when the purpose for which the data was held no longer exists.

Data protection laws are being enhanced in 2018 when the General Data Protection Regulations (GDPR) come into force. These are being incorporated into UK law by the Data Protection Bill which will come into force over the next weeks/ months.

5. Can I get access to my personal data?

An application for a Subject Access Request (SAR) can be made to a specific business or organisation to find out what personal information it holds in its records or processes about you.

You will be able to request details of the actual data which is held or processed and the purpose for which that organisation holds the material. You can also ask whether any personal data is being used for making any automated decisions about you and an explanation as to why it is being used for that purpose. You can also ask for details of any third party to which your personal data is being disclosed and why.

The use of SARs is increasing especially due to the general public becoming more aware of the existence of data about them held by others and it can be time consuming and have costs consequences if businesses are not properly prepared to deal with such requests. However, employers must take all reasonable steps to comply with a SAR and the Subject Access Code of Practice issued by the Information Commissioners Office (ICO) expressly reminds those who hold or process personal data that they should be prepared to make extensive efforts to find and retrieve the requested information, unless it is unreasonable or disproportionate to do so.

The law currently imposes a charge of £10 to be paid to the recipient of a SAR who then must respond within 40 days but this cost rarely covers the time and expense incurred in collating the relevant information and sending the response.

Data protection laws are being enhanced in 2018 when the General Data Protection Regulations (GDPR) come into force. These are being incorporated into UK law by the Data Protection Bill which will come into force over the next weeks/ months.

GDPR and the Data Protection Bill will remove the fee for Subject Access Requests and will reduce the time required to respond to 30 days, with the design of making such applications more accessible to the public. It is anticipated that these changes together with the fact that society is becoming increasingly aware of data protection issues, will increase the number of SARSs, the cost of which in terms of the time and effort required to comply will have to be absorbed by those who receive them.

Furthermore, GDPR and the Data Protection Bill will introduce a harsh penalty to those who fail to comply by giving the ICO the power to impose a fine of 4% of global turnover or 20 million euros, whichever is higher.

If your business has received a Subject Access Request or you wish to make a Subject Access Request call our data protection team today for a confidential initial telephone conversation, completely free and with no obligation for the future.

6. Can I ask to remove or edit personal data?

Under the Data Protection Act 1998, an individual has a right to have inaccurate personal data rectified, blocked, erased or destroyed in circumstances where it is causing or is likely to cause unwarranted damage or distress.

If a request of this nature is made to an organisation, it will have 21 days to respond and can only refuse if the information it holds is required to be so held in order to:

• agree or carry out an existing legal contract;
• carry out any other legal obligation of the organisation; or
• protect the interests of the individual.

Data protection laws are being enhanced in 2018 when the General Data Protection Regulations (GDPR) come into force. These are being incorporated into UK law by the Data Protection Bill which will come into force over the next weeks/ months.

The new legislation provides more robust protection to individuals who do not wish their data to be used by organisations and introduces what is known as a ‘right to be forgotten’ whereby implied consent will no longer be sufficient; express consent of an individual will be required to hold/use personal data.

Furthermore, it will no longer be a requirement for the individual to prove that the holding or processing of personal data is causing or likely to cause unwarranted damage or distress in order to get it removed.

However, the ‘right to be forgotten’ is not automatic and an organisation can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

• to exercise the right of freedom of expression and information;
• to comply with a legal obligation for the performance of a public interest task or exercise of official authority;
• for public health purposes in the public interest;
• archiving purposes in the public interest, scientific research historical research or statistical purposes; or
• the exercise or defence of legal claims.

If you need advice in relation to how to deal with a request for removal of personal data or need advice on the new legislation call our data protection team today for a confidential initial telephone conversation, completely free and with no obligation for the future.

7. What do I do if I find out that there has been a breach of my personal data?

If you are an individual who has become aware that an organisation has caused a breach of your personal data, you should immediately seek legal advice as to how to proceed.

You may want to report the breach to the Information Commissioners Office (ICO) but the ICO will not be able to pay you compensation. However, you will have the right to take civil legal action against the organisation which caused the breach if the breach has caused you damage or distress.

Historically, a claim for distress could only be made if there was also a claim for damages. However, in 2015, the Court of Appeal ruled, in the case of Vidal-Hall v Google, that compensation could be awarded for distress alone.

Furthermore, in December 2017, over 5,000 past and present employees of the WM Morrisons Supermarket plc were successful in a class action against the supermarket following a malicious data breach. This was the first data breach class action in the UK and has pathed the way for others of its kind to follow.

Data protection laws are being enhanced in 2018 when the General Data Protection Regulations (GDPR) come into force. These are being incorporated into UK law by the Data Protection Bill which will come into force over the next weeks/ months.

The new legislation provides more robust protection to individuals as it introduces a legal obligation for organisations to report any data breach to the ICO (current legislation does not require organisations to report breaches) and it has increased the fines available to ICO to impose. Although this does not relate directly to compensation, it means that organisations are having to restructure policies with the new legislation in mind with a view to preventing breaches and protecting personal data (a process known as privacy by design).

This means that in the event of a data breach, the organisation which has caused the breach will have to act fast and carry out a number of tasks including notifying those who have been affected. It will have to demonstrate to the ICO the steps it has taken to mitigate the damage of any breach.

If a breach has occurred before the new law comes into force, then we urge you to take immediate advice so that action can be taken as soon as possible in the hope that matters can quickly be resolved.

If you think you have been the subject of a data breach of your personal information and need advice as to how to deal with it, call our data protection team today for a confidential initial telephone conversation, completely free and with no obligation for the future.

8. What do I do if I have breached the personal data of others?

Under current legislation, when a breach of personal data occurs, there is no legal obligation placed on the data controller to report the breach to the Information Commissioners Office (ICO).

However, it is often be advisable, especially in the event of a serious breach, for a report to be made. The circumstances surrounding a breach and the way in which it is subsequently handled are key factors that the ICO take into account when considering what action to take.

It is therefore essential that anybody who finds themselves either directly or indirectly responsible for a breach to obtain legal advice as to how to deal with it as soon as they identify that a breach has taken place.

Data protection laws are being enhanced in 2018 when the General Data Protection Regulations (GDPR) come into force. These are being incorporated into UK law by the Data Protection Bill which will come into force over the next weeks/ months.

The new legislation provides more robust protection to individuals as it introduces a legal obligation for organisations to report any data breach to the ICO unless the breach “is unlikely to result in a risk to the rights and freedoms of natural persons”. In other words, if there is a risk the breach will damage reputation, breach confidentiality, cause financial loss or otherwise risk the rights and freedoms of those that are the subject matter of the data breach, then a report must be made within 72 hours of becoming aware of the breach.

Any notification to the ICO will need to include information about the nature and extent of the breach and what measures have been taken to mitigate the effects.

If you become aware of a data breach and need advice as to how to deal with it, call our data protection team today for a confidential initial telephone conversation, completely free and with no obligation for the future.

9. What is a breach and do I have to report it?

Under current legislation, when a breach of personal data occurs, there is no legal obligation placed on the data controller to report the breach to the Information Commissioners Office (ICO).

However, it is often be advisable, especially in the event of a serious breach, for a report to be made. The circumstances surrounding a breach and the way in which it is subsequently handled are key factors that the ICO take into account when considering what action to take.

It is therefore essential that anybody who finds themselves either directly or indirectly responsible for a breach to obtain legal advice as to how to deal with it as soon as they identify that a breach has taken place.

Data protection laws are being enhanced in 2018 when the General Data Protection Regulations (GDPR) come into force. These are being incorporated into UK law by the Data Protection Bill which will come into force over the next weeks/ months.

The new legislation provides more robust protection to individuals as it introduces a legal obligation for organisations to report any data breach to the ICO within 72 hours of becoming aware of the breach unless the breach “is unlikely to result in a risk to the rights and freedoms of natural persons”. In other words, if there is a risk the breach will damage reputation, breach confidentiality, cause financial loss or otherwise risk the rights and freedoms of those that are the subject matter of the data breach, then a report must be made.

Any notification to the ICO will need to include information about the nature and extent of the breach and what measures have been taken to mitigate the effects.

10. What is changing with GDPR?

The Data Protection Act 1998 created the role of Information Commissioner and provided the regulatory powers for data protection. Since then, the laws governing data protection in UK have steadily increased both in scope and power. In 2010, the Information Commissioner was given the power to enforce monetary penalties and impose fines up to £500,000.

However, when a breach of personal data occurs, there is still no legal obligation placed on the data controller to report the breach to the Information Commissioners Office (ICO). Furthermore, when the Information Commissioner uses her power to request information from individuals or organisations by issuing Information Notices, there may be sanctions available for non-compliance (currently a criminal offence punishable by fine before the Magistrates’ Court) but there is no power to compel the disclosure of the information requested.

Data protection laws are being enhanced in 2018 when the General Data Protection Regulations (GDPR) come into force. These are being incorporated into UK law by the Data Protection Bill which will come into force over the next weeks/ months.

The new legislation provides more robust protection to individuals as it introduces a legal obligation for organisations to report any data breach to the ICO within 72 hours of becoming aware of the breach unless the breach “is unlikely to result in a risk to the rights and freedoms of natural persons”. In other words, if there is a risk the breach will damage reputation, breach confidentiality, cause financial loss or otherwise risk the rights and freedoms of those that are the subject matter of the data breach, then a report must be made.

The new regime will also increase the maximum penalties for data protection breaches from £500,000 to £18million and creates new offences such as follows:

• Obstructing or failing to assist in an ICO inspection
• Failing to comply with an Information Notice
• Knowingly or recklessly providing a false statement to an Information Notice
• Knowingly or recklessly obtaining, retaining, selling or offering to sell personal data without the consent of the controller
• Knowingly or recklessly re-identifying de-identified personal data without the consent of the controller
• Altering, defacing, blocking, erasing, destroying or concealing information with the intention of preventing disclosure

11. What will happen to GDPR when we leave the EU?

The General Data Protection Regulations (GDPR) are being incorporated into UK law by the Data Protection Bill which will come into force over the next weeks/ months and so the new data protection regime will be in effect under UK legislation by the time we leave the EU.

12. I’ve received a Data Protection Act Request under section 29 of the Data Protection Act 1998. Do I need to comply?

Under s29 Data Protection Act 1998 (s29 DPA Request), investigating authorities such as local authorities, police, HM Revenue and Customs and other government agencies can request that you provide personal information of others without their consent if the data is being requested for the following purpose:

1. the prevention or detection of crime;
2. the apprehension or prosecution of offenders; or
3. the assessment or collection of any tax or duty or of any imposition of a similar nature.

This is known as the crime and taxation exemption.

There is not, however, an automatic right to this information and there are factors which must be taken into consideration when deciding whether to release information following a s29 DPA Request.

If you have received a s29 DPA Request, call our data protection team today for a confidential initial telephone conversation, completely free and with no obligation for the future.

13. I’ve received an Information Notice. Do I need to comply?

An Information Notice is one of the regulatory powers available to the Information Commissioners Office (ICO) to investigate and ensure data protection laws are complied with. An Information Notice requires an organisation or individual to supply the ICO with the information specified in the notice.

It is a criminal offence to fail to comply with the notice, punishable by a fine in the Magistrates Court.

If you have received an Information Notice, call our data protection team today for a confidential initial telephone conversation, completely free and with no obligation for the future.

14. Ask another question

Do you have another question relating to Tax Investigations that hasn’t been covered in our guide? Feel free to ask Richard Nelson LLP’s Tax investigation solicitors and we’ll endeavour to get back in touch with you as soon as possible.