What Are The Legal Rights And Obligations For Data Protection And Privacy?
The Data Protection Act 2018 (the Act) and the General Data Protection Regulation (GDPR) govern legal rights and obligations for personal data protection and privacy. Broadly, the GDPR sets out the rights of individuals and the obligations imposed on organisations in processing data as follows:
- Data processing must have a lawful basis and be fairly carried out. Individuals should be informed how their personal data is being used.
- Data should only be collected for specified, explicit, and legitimate purposes.
- Only data that is necessary for the stated purposes, should be collected.
- Data must be accurate and kept up to date.
- Personal data should only be kept for a period necessary for the stated purpose.
- Data should be processed securely and protected against unauthorised access or breaches.
- Data protection impact assessments may need to be carried out for high-risk data processing activities. Organisations do this to assess and mitigate potential privacy risks.
- Individuals have several rights under the GDPR, including the right to access their data, rectify inaccuracies, and erase data in certain circumstances.
- Organisations must obtain unambiguous consent from individuals before processing their data in specific situations. Consent must be given freely and be easy to withdraw.
- Organisations must report data breaches to the Information Commissioner’s Office (ICO) and, in some cases, to affected individuals, depending on the severity of the breach.
The Act supplements the GDPR and provides additional provisions such as law enforcement processing, intelligence services, and other national security matters.
The ICO is the independent regulatory authority for data protection. It provides guidance, enforces data protection laws, and handles complaints about data protection issues.
More information is available in the By Lawyers Data Protection and Privacy guide.
