Although this day has been globally recognised since 2006, if you were to ask your employees on what day it falls, it is unlikely that they will know.
So, what is it all about?
On 26 April 2006 the Council of Europe decided to launch a Data Protection Day to be celebrated each year on 28 January. This was the date on which the Council of Europe’s data protection convention, known as “Convention 108”, was opened for signature.
Now internationally recognised and known across Europe as Data Protection Day and Data Privacy Day outside Europe, this is an effort to create awareness about the importance of respecting privacy, safeguarding data, and enabling trust. It offers international opportunity for collaboration among governments, industry, academia, not for profit organisations, privacy professionals and educators.
Personal data is constantly being processed and according to the ICO (Information Commissioner’s Office) “we live in a data-driven world. Almost every transaction and interaction you have with most organisations involves you sharing personal data”. Of course, the sharing of data is convenient and helps make life easier but how familiar are you with the risks associated with the protection of your personal data?
Would you recognise when your personal data has been compromised or know what to do if you consider that your rights have been breached?
So, what is personal data?
At a basic level, this will be your name, address and date of birth but data sharing can be happening at work, in your communication with public authorities and health and social services.
Personal data is information relating to an identified or identifiable living human.
Identifiable means that a person can be recognised from that information, either on its own, or amongst other available information. This can be all sorts of information, from a name and contact details to an IP address; from information about the sort of products a person buys online to their opinions about colleagues.
Think about the personal data you share when you buy goods or services, book holidays or make travel arrangements, use social media, send an e-mail or surf the internet.
Information “relates to” the person if it tells you something about them. This could be as basic as their name and place of work, or their email address.
“Special category data” (sometimes known as “sensitive personal data”) is information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union membership, information concerning health, sex life or sexual orientation, and genetic and biometric data and this has additional protections in place.
Why should I care about my data protection rights?
As an individual, it is important to know what your rights are, and what you can do to ensure your information is being used responsibly.
As a business, you are likely to be dealing with personal data in all sorts of contexts, from your employees to your customers, and particularly your marketing activities. You need to ensure that you are dealing with this information properly.
The ICO stresses that “Your data is your data. It belongs to you so it's important your data is used only in ways you would reasonably expect, and that it stays safe. Data protection law makes sure everyone’s data is used properly and legally”.
What does the law say?
As you will already be aware, data protection in the UK applies to most businesses and organisations and is subject to the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018.
The legislation applies to anything with personal data which is wholly or partly automated and/or forms part of a filing system (or is intended to).
What rights do individuals have under the UK GDPR?
The UK GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
Where can I or my employees find out more?
The Council of Europe has created a guide for internet users to help them better understand their human rights online and what they can do when these rights are challenged.
Contact the ICO - https://ico.org.uk/for-the-public/your-data-matters-blog/
Read and familiarise yourself with your Company Data Protection Policy.
What do I need to know for my business?
Post Brexit, the Data Protection Act 2018 kept the EU's General Data Protection Regulation in UK law, and the EU deemed in 2021 that this was equivalent to their own. This situation is likely to continue until June 2025, unless UK law diverges significantly from GDPR.
The UK Data Protection and Digital Information Bill (DPDI bill) was introduced to Parliament in July 2022 with the aim of reducing certain requirements of GDPR on businesses, but the second reading of the Bill did not take place on 5 September 2022 as scheduled. In October 2022, the government announced its plan to introduce a bespoke British data protection system which is intended to be business and consumer friendly and will keep people's personal data secure. The government stated that it will do this by amending the DPDI Bill which will continue its passage in due course.
Of course, all Companies need to gather and use information or ‘data’ about individuals as part of their day-to-day business activity and they must comply with the legal obligations under the Data Protection Act 2018 in respect of the processing of ‘personal data’ and ‘sensitive personal data’. These rules apply whether data is stored electronically, on paper or on other materials.
Following the introduction of GDPR in May 2018, we encouraged our clients to conduct an initial audit and risk assessment, to identify gaps between current practice and GDPR requirements and assess the level of privacy risk based on the type of data processed.
The following is what we regard as essential Data Protection documentation for staff data:
- a GDPR audit map. This is useful if you haven’t already implemented any measures to comply with Data Protection legislation. It helps you to consider what types of data you may hold and why.
- a GDPR privacy notice. This describes how you collect, store and use data for your employees, workers and contractors.
- a GDPR procedure for breach. This provides you with guidelines regarding reporting a data breach and timeframes for reporting a data breach.
- a GDPR data retention policy. This looks at how long you hold data and how to secure it.
- a GDPR candidate privacy notice. This can be used to notify prospective employees, workers and contractors about the personal data that the employer proposes to hold relating to them, how they can expect their personal data to be used and for what purposes.
- a sample records retention schedule. This sets out the time periods that different types of (employment-related) business records must be retained for business and legal purposes.
Whilst Alcumus is not a Data Protection specialist, we understand that GDPR overlaps with some HR principles and practices and so would be pleased to help if you have any queries. Please contact your HR Consultant direct or email [email protected].