Data Protection
Bitesize
A 20 Minute Tour of Data Protection
Russell Rolph
The Basics: What is it?
• A set of organisational principles.
• It’s a promise between an organisation
and an individual.
• It’s a pledge or a contract to keep an
individual's personal data: ELECTRONIC
OR HARD COPY.
• Safe
• Accurate
• Secure
• Lawfully Processed.
Why is it important?
• People have power.
• They have choice.
• They are much more aware of what
constitutes a misuse of their data.
• The Regulator has more power to
investigate and fine.
• Organisations must do more to safeguard
individual data.
• Do not abuse a supporter or potential
supporters trust.
Sanctions
• 553 Fines Levied in 2020.
• Breach Notifications increased by 19%.
• Charities are not immune.
• Royal British Legion.
• MacMillan.
• Cancer Research.
• Fines are Proportionate – Be on guard
though.
Sanctions: From the BBC
• Eleven charities have been fined by the
UK's data watchdog for misusing
information about millions of past donors
to seek further funds.
• Offences included secretly piecing together
data from various sources and trading
personal details to target new and lapsed
donors.
• Limited individual fines of between £6,000
and £18,000 because donors could be
unhappy at more punitive fines.
• "[People] will be upset to learn the way their
personal information has been analysed and
shared by charities they trusted with their
details and their donations and "No charity
wants to alienate their donors."
• The Regulator
Terms
• Data Processor.
• Data Controller.
• An Individual.
• The Data Subject.
• The Regulator.
General Data Protection Regulation
2018 became the DP Act 2018
• Prompted in part by the Olive
Cooke case.
• Evolution in Data Protection not a
Revolution.
• More rights on the individual
regarding data.
• More onus on organisations to do
better.
• More power to investigate and
sanction.
• Builds on the Data Protection Act
of 1998.
Lawful Processing
• The first of the overarching DP Principles.
• You promise to collect and process information
accurately and lawfully.
• There are a number of grounds you can use to
achieve this:
• CONSENT: By far the simplest. But BEWARE…
• CONTRACT: You are working to a contract which
stipulates how data will be collected and
processed.
Lawful Processing
• VITAL INTERESTS:
• PUBLIC TASK: Mainly for Public Authorities who
are required to collect and process data in
conjunction with the law (CENSUS).
• LEGAL OBLIGATION: You are processing data in
line with common law.
• LEGITIMATE INTEREST: The most flexible of all the
grounds. Yet to be truly tested in case law.
Legitimate Interest
• Balances the need of the organisation with the
rights and freedoms of the individual.
• Relies on some form of past relationship.
• OR some act around regulation, best practice,
price setting or industry standards.
• Heavily used by Charities of all sizes.
EXAMPLE 1
• Bell-max Community Association have a list of 89
contacts and have been sending these contacts a
monthly E Bulletin for 3 years. Can they claim
LEGITIMATE INTEREST?
• Mr Jones has decided to join the contact database
as he is interested in the newsletter and has seen
it in a friend's house: LEGIMATE INTEREST OR
CONSENT?
EXAMPLE 2
• EXEL Insurance have used data to understand
customer preferences and selling points for their
new brand of products. They surveyed 3000
existing customers: LEGIMATE INTEREST?
• EXEL SOLD their database to another Insurance
Company who are just entering the insurance
market? LEGIMATE INTEREST OR BREACH OF DATA
PROTECTION?
Children:
• Specific care needs to be taken over processing
child data.
• OVER 13 – CONSENT CAN APPLY but the consent
notice needs to be written in such a way that the
child understands.
• UNDER 13 – PARENTAL GUIDANCE CONSENT.
• NOTE: Children have the same rights as adults in
relation to personal data.
Breach…Oh No..!!
• A breach is when the organisation or an individual
believes a breach of data protection has taken
place.
• If an individual believes a breach has taken place,
they might contact the organisation or go directly
to the regulator.
• Proportion and Perspective.
What do you do in the
event of a breach?
• Notify the
Regulator within
48 hours.
• Record on your
organisational
Breach Register.
• Contact all
affected parties.
• Await the
Regulators
Response.
• DO NOT PANIC.
What do you need as a starting
Point?
• Data Protection Policy
• Data Protection Statement
• Privacy Notice
• Breach Register
• A roadmap of how and why you collect the data
you do.
