Home » ISO Articles » Making Sense of Data Protection Legislation
Making Sense of Data Protection Legislation
Overview
Due to the constantly evolving digital landscape, data protection legislation has had to change alongside it to stay up to date. As opposed to storing physical information, most databases are now online resources, and therefore legislation has become more geared towards digital databases. Data storage comes with potential risks, such as data breaches, storing unnecessary data, or storing an individual’s data without consent. Data protection legislation is designed to mitigate these risks to benefit both individual internet users and businesses with online databases.
This article will cover the main pieces of legislation around data protection and data processing. It also highlights the benefits of the legislation and reasons it may belong in your ISO Compliance Register.
The Data Protection Act 2018 and Other Data Protection Measures
The Data Protection Act 2018 is the most prominent and applicable data protection act currently in place in the UK. However, there are other pieces of legislation that are important to keep in mind when managing or using databases.
- The Data Protection Act 2018 – The Data Protection Act was put in place as a way of implementing GDPR in the UK, protecting personal data and providing individuals with more control over how their data is used. There are very few differences between this act and GDPR, however it is best to consult this act if your business primarily functions in the UK.
- GDPR – Also known as Regulation (EU) 2016/679, GDPR applies to the processing of personal data. The regulations cover a wide range of data protection law, focusing on seven key principles: lawfulness; fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.
- The Data Retention Regulations 2014 – These regulations require telecommunications service providers to limit the time they keep certain types of communications data to under 12 months. Once data is no longer needed for business purposes, it should be deleted or made anonymous.
Cases of Data Breaches
The consequences of mishandling data or being found responsible for data protection regulation violations can be severe, with some high-profile examples demonstrating the extremes. The largest fine issued in the UK, as of April 2024, was the October 2020 British Airways fine of over 22 million euros. Overall, the largest sum requested from any company was 1.2 billion euros, a fine issued to Meta by Ireland’s Data Protection Commission after they were found to have transferred data from the EU to the US without the correct data privacy safeguards in place.
It’s not only fines that should cause concern around data protection, as increases in data breaches from hostile states and organisations call for increased data security to protect private information. In May 2024, around 270,000 payroll records of the British Armed Forces were compromised in a breach by a third-party contractor, leading to information such as names, bank details and even addresses being compromised. This brings into question whether stronger cyber defence measures need to be undertaken to protect private data, and whether companies are doing enough to ensure the safety of the data they store.
Benefits of Having Data Protection Legislation in Your ISO Compliance Register
The above examples are only a few extreme cases of a long list of data breaches and violations that have affected businesses in recent years, demonstrating the need to pay close attention to data protection legislation. Here are five benefits of having data protection legislation in your ISO compliance register:
- Widely Applicable – Data protection legislation applies to any business that collects or holds data, especially personal data of staff, customers or other third parties.
- Reduces Risk – Having the correct measures in place reduces the risk of costly data breaches.
- Customer Satisfaction – Customers are provided with peace of mind around how you use and store their data.
- Efficiency – The legislation helps ensure that data is not being stored unnecessarily. This improves the quality of the data and the efficiency of its use.
- Ease of Understanding – Overall, legislation is made clearer and easier to understand.