Week 11 Data Law and Data protection

0.0(0)
Studied by 0 people
call kaiCall Kai
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/11

encourage image

There's no tags or description

Looks like no tags are added yet.

Last updated 12:29 AM on 5/14/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai

No analytics yet

Send a link to your students to track their progress

12 Terms

1
New cards

The Data Protection Act 2018

The Act governs the use of personal information and impacts on how information systems are used by business

The Act implemented the General Data Protection Regulation

Extends Data Protection into areas not covered by GDPR, and provides for the Information Commissioners Office (ICO) as regulator

2
New cards

Through the UK General Data Protection Regulations (GDPR), UK has retained majority of GDPR, with majority of rights, principles and obligations remaining the same.

Governs personal data.

What is personal data?

§Names, addresses, email addresses, telephone numbers

§Family details

§Health and Medical History

§Information about lifestyle and hobbies

§Details of education and training

§Employment data

§Financial information

3
New cards

1st principle of UK GDPR

1 Lawfulness, fairness and transparency: the need to have a lawful basis for processing personal data and to be open with data subjects about how it will be used

4
New cards

2nd principle of UK GDPR

2 Purpose limitation: the requirement to specify at the outset the purpose of the processing and safeguards to prevent the use of the data for other purposes without consent

5
New cards

3rd principle of UK GDPR

3 Data minimisation: to ensure the data is adequate, relevant and limited to what is necessary for the processing

6
New cards

4th principle of the UK GDPR

4 Accuracy: that the data is up to date, and kept that way

7
New cards

5th principle of UK GDPR

5 Storage limitation: the data should only be kept for as long as is necessary, and disposed of according to a set schedule

8
New cards

6th principle of GDPR

6 Security: this requires that data is held in conditions where ‘appropriate technical and organisational measures’ are in place

9
New cards

7th principle of GDPR

7 Accountability: this reflects the need to evidence compliance and take responsibility for processing data in line with the law

10
New cards

Individual Rights (eight)

The right to restrict processing: the qualified right to have processing of personal data limited or stopped altogether

The right to data portability: the right to have a copy of the data in a transferrable format

The right to object: the qualified right to have data processing stopped in certain circumstances

Rights in relation to automated decision making and profiling: rights around the use of profiling and the right to challenge automated decision making

The right to be informed: the provision of clear privacy information at the point of collection

The right of access: the data subject's right to obtain a copy of any personal data held in a timely manner

The right to rectification: the right to have data corrected or completed

The right to erasure: the qualified right to have personal data permanently destroyed

11
New cards

Enforcement & Regulatory Action

Regulator

Information Commissioner’s Office (ICO) is the UK data regulator.

Data Protection Officer (DPO):

•Certain entities must appoint a DPO (public authority or body, or where your core activities require large scale regular and systematic monitoring of individuals or large scale processing of special categories of data or data relating to criminal convictions or offences).

•Can appoint a DPO even if not obliged to do so.

•In either instance, organisation must have adequate resources to discharge obligations under UKGDPR.

Duty to report a breach to ICO: 

Organisations should consider if a breach poses a risk to people, including the likelihood and severity of the risk to people’s rights.  If this assessment finds that it is likely that there will be a risk, you must report to ICO.

Time limit to report a notifiable breach: 72 hours

Sanctions

Sanctions: monetary penalties, enforcement notices, prosecutions and undertakings

Highest fines are 20m Euros (or £17.5m) or 4% of total annual worldwide turnover in preceding year (whichever is the higher)

12
New cards

Enforcement & Regulatory Action CASE STUDIES

Marriott Hotels

ICO fined Marriott Hotels £ 18.4m for major data breach where guest names, contact information and passport details were compromised.

Capita

In 2025 ICO fined Capita £14m;  in 2023 personal information of 6.6 million people was stolen, from pension records and staff records to the details of customers of organisations Capita supports. For some people, this included sensitive information such as details of criminal records, financial data etc.