Data Protection Act and GDPR Solicitors

A UK business has several responsibilities to protect personal data and keep it private under the Data Protection Act. There are additional responsibilities under GDPR if you are collect data about EU citizens. Fundamental among these is the ability to demonstrate a lawful basis for collecting and processing personal data. These bases include the consent of the data subject, a contract, a legal obligation, or legitimate interests.

Appoint a Data Protection Officer if your business engages in large-scale systematic monitoring or processing of sensitive personal data or if it is a public authority, as this can help to control your data protection process. Collect and process only the data that is necessary for the specified purpose, and provide clear and transparent information to individuals about how their data will be used. This is usually communicated through a privacy notice or policy. You must also enable individuals to access, correct, delete or restrict the data you collect about them.

To maintain consistent compliance with data protection legislation, you should implement any technical or organisational measures that will support data protection and integrate them into your processing activities from the outset. This includes keeping personal data secure against unauthorised access, loss, or destruction.

You must only keep data for as long as you can demonstrate that you need to. This can be ambiguous, and it can help to work with expert GDPR solicitors to develop suitable processes for this that will withstand legal scrutiny.

A data controller is defined under the GDPR as any entity (either an individual or organisation) that collects or processes personal data. A data controller has the authority to decide why personal data is being processed and how it will be done, provided these reasons and processes comply with GDPR and the Data Protection Act.

A data subject is any individual whose personal data is collected, processed, and stored. For extra clarification, "personal data" is any information that could be used to identify an individual, such as their name and contact details. It also includes more secure data like the person's medical history.

GDPR gives a data subject specific rights regarding their personal data, and businesses must facilitate these rights to maintain GDPR compliance. These rights include:

• Access: The right to find out whether their personal data is being processed, and if so, access the data and any information about how it is processed. This includes the right to download personal data in a structured, commonly used format or transmit the data to another controller.
• Rectification: The right to have inaccurate personal data corrected or completed if it is incomplete.
• Erasure (Right to be Forgotten): The right to have personal data erased under certain conditions, such as when it is no longer needed for the purposes for which it was collected or if the individual withdraws consent.
• Restriction: The right to restrict the processing of personal data under certain circumstances, such as when the accuracy of the data is contested or the processing is unlawful.

These rights aim to give data subjects greater control over their personal data and ensure transparency and accountability in how any data processor uses it.

A subject access request is a mechanism that allows an individual to access personal data that a data controller holds about them. Under GDPR, individuals have the right to obtain confirmation as to whether their personal data is being processed and, if so, to access the data and receive additional information about its processing.

An access request can be made in writing, verbally, or electronically. The data controller must verify the identity of the requester to maintain data protection. Data controllers must respond to a subject access request without undue delay and, at the latest, within one month of receipt. This period can be extended by a further two months if the request is complex.

In most cases, the data controller cannot charge a fee for handling this type of request. However, if it is unfounded, excessive, or repetitive, the controller may charge a reasonable fee or refuse to act on the request. By facilitating subject access requests, GDPR aims to promote transparency and empower individuals to understand and control how their personal data is used. Businesses that collect customer data must understand how to fulfil these requests, as this is a fundamental aspect of remaining GDPR compliant.

If you detect data breaches, you should take immediate steps to control the problem and limit damage. There are different types of data breach, and the response should be adapted to the specific circumstances. Report data breaches to the ICO within 72 hours of when you detect it, especially if the breach is likely to result in a risk to the rights and freedoms of individuals. In certain cases, notify the affected individuals as well. Our GDPR solicitors can advise you on when this is necessary and help you fulfil these obligations.

Demonstrate compliance with GDPR principles throughout, including by maintaining records of data processing activities, conducting data protection impact assessments when necessary, and regularly reviewing data protection practices. If you are concerned about meeting your obligations, contact our dedicated data breach solicitors for tailored advice. The legal team at JMW can offer advice to help you remain compliant on an ongoing basis, discuss penalties for non-compliance and help you to understand the key principles of UK data protection legislation.