Data Protection

Since the publication of the General Data Protection Regulations in 2016, and the subsequent enactment of the Data Protection Act 2018, there has been a drastic change in the approach to the use of personal data, and a renewed focus on Confidentiality, Integrity and Availability.  There is now recognition of the rights of the individual, with organisations forced to think more carefully about the way that they work with data.

Cambridge Risk Solutions have a deep understanding of data protection, and experience in ensuring that clients have embedded effective and practical solutions that ensure data protection becomes part of the organisational culture, which meets all regulatory requirements.

Personal data is ‘information that relates to an identified or identifiable individual’.  In other words, it could be data that is directly linked to an individual (name, identification number,  email address (whether work or personal) or IP address) or it could be information that, taken together, could identify an individual (postcode, house number, age).

Special Category Data is more sensitive data, which includes:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade Union membership
  • Genetic data
  • Biometric data
  • Health data
  • Data about sex life
  • Data regarding sexual orientation

 

Special category data needs more protection, and an additional lawful basis for processing.

The definition of processing is very wide, and includes:

  •  collection
  • recording
  • organisation
  • structuring
  • storage
  • adaptation or alteration
  • retrieval
  • consultation
  • use
  • disclosure by transmission
  • dissemination or otherwise making available
  • alignment or combination
  • restriction
  • erasure or destruction

So even just receiving an email from a personal email address is classed as ‘processing’, even if you immediately delete it!

There are seven key principles for data protection:

  •  Lawfulness, fairness and transparency
  • Purpose Limitation
  • Data Minimisation
  • Accuracy
  • Storage Limitation
  • Integrity and confidentiality (security)
  • Accountability

There are six lawful bases for processing data, and it is important that you identify the correct basis depending on your relationship with the data subject and the purpose for processing the data:

a.  Consent, where there is clear consent to process the data for a specific purpose

b.  Contract, where the processing is necessary for a contract or for specific steps before entering that contract

c.  Legal Obligation, where you need to comply with the law

d.  Vital Interest, where the processing is vital to save someone’s life

e.  Public Task, where you need to process for the public interest or official functions (eg local government), and the function has a basis in law

f.  Legitimate Interest,  where is is necessary for the legitimate interest of the third party or for your legitimate interest.

For each of these bases, there is detailed guidance available to ensure that you are using the most relevant.

 

How can Cambridge Risk Solutions Help?

Cambridge Risk Solutions provides a range of services to assist with the implementation of effective Data Protection policies and procedures, and have an experienced Certified Data Protection Officer who can assist with your data protection compliance.

View some case studies of recent Data Protection projects.