The UK General Data Protection Regulation (GDPR) is designed to ensure that 'organisations processing and storing personal information adequately protect it, and that any transfer of information outside of the UK is handled in an appropriate way.’

Let’s start by looking at the laws which protect the collection and storage of personal and private data.

In the UK, the right to personal privacy is protected through the UK General Data Protection Regulation (GDPR) which protects the rights of ‘Data Subjects’. The UK Government adopted GDPR through the 2018 Data Protection Act.

The right to privacy, like other human rights in Europe, is derived from the European Convention on Human Rights which was incorporated into UK domestic law as the Human Rights Act 1998.

Under GDPR, there’s a requirement for organisations processing and storing personal information to ensure its adequately protected, and that any transfer of information outside of the UK is handled appropriately. This is particularly significant for the transfer of data to the US where data protection controls are typically much less stringent than in Europe.

Figure 1: GDPR: Protecting the data

GDPR basics

The Data Controller determines how personal data is used and the Data Processor acts on the Data Controller’s behalf. They are responsible for, and must be able to demonstrate, compliance with GDPR.

UK GDPR places specific legal obligations on Data Processors, including the requirement to maintain records of personal data and processing activities.

It applies to data processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. However, it doesn’t apply to processing covered by the Law Enforcement Directive, processing for national security purposes, or processing carried out by individuals purely for personal or household activities.

The right to erasure is also known as ‘the right to be forgotten’. This is not an absolute right, and there are circumstances in which a request for erasure can be rejected.

Upholding the rights of Data Subjects under UK GDPR, in the UK this is the Information Commissioner’s Office (ICO) and if this involves financial data this would be the Financial Conduct Authority (FCA).

Personal data

Personal data is defined by GDPR as:

'Any information relating to an identified or identifiable natural person (the 'data subject')...who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’

- The information comissioner's office

GDPR applies to both automated personal data and manual filing systems, which includes chronologically ordered sets of manual records containing personal data. It also now includes online identifiers, for example, IP addresses if this can be used to uniquely identify an individual.

Personal data that has been pseudonymised, for example, key-coded, can fall within the scope of GDPR if the pseudonym can be attributed to a specific individual.

Special category personal data is defined as:

‘Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.’

- The information comissioner's office

As you can see, this includes genetic and biometric data used to identify an individual. Personal data relating to criminal convictions and offences are not included, but extra safeguards apply in these cases.

Figure 2: The 7 principles of data protection. Source: https://ico.org.uk/for-organisations/advice-for-small-organisations/frequently-asked-questions/principles-and-definitions/

Acceptable use policy

GDPR is based on seven data protection principles:

The first principle states that personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
The second principle requires that any personal data collected is for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
The third principle states that when personal data is collected or processed, it’s adequate, relevant and limited to what is necessary in relation to the purposes for which it’s processed.
The fourth principle requires personal data to be accurate and, where necessary, kept up to date in relation to the purpose for which it’s processed.
The fifth principle requires that personal data is kept for no longer than is necessary for the purposes for which it’s processed. When personal data is no longer needed it must be destroyed.
The sixth principle requires data processors to process personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures.
The seventh principle, the accountability principle, requires you to take responsibility for what you do with personal data and how you comply with the other principles.

You must have appropriate measures and records in place to be able to demonstrate your compliance.