Data Protection Overview

Data Protection Act 1998

• Goal: Keep personal data safe & prevent misuse
• Enforced by Information Commissioner’s Office
• Fines for breaches: Up to £500,000
• Replaced by Data Protection Act 2018

Data Protection Principles

1. Process data fairly and lawfully
2. Obtain data only for specified & lawful purposes
3. Data must be adequate, relevant, and not excessive
4. Data must be accurate and kept up to date
5. Data retention limited to what's necessary
6. Processing in accordance with data subjects' rights
7. Implement technical & organizational measures for protection
8. Data not transferred outside EEA without protection

Data Protection Act 2018

• Introduced key changes to DPA 1998
• 6th and 8th principles expanded
• Added accountability principle
• Maximum fine: €20 million or 4% of annual turnover

DPA Example - Task

• Airline Case:
  • Fine of £500,000 after data exposure due to cyber attack
  • Principle failed: Appropriate measures for data protection
• Government Branch Case:
  • Issued enforcement notice for inadequate consent to collect data
  • Principle failed: Fair and lawful processing of data

Right to be Forgotten

• Also known as the right to erasure
• Individuals can request deletion of data by businesses
• Organizations must respond within a month
• Not all data must be deleted (e.g., criminal records)

Cookies & Data Gathering

• Cookies: Small text files stored on devices when visiting websites
• EU Cookie Law mandates:
  • Inform users of cookies
  • Explain cookie function
  • Obtain user’s consent for storage