What are the key data protection concepts you need to know about?

If you have ever attended a data protection webinar or read a news article about the UK GDPR, you might have come across specialist terms that weren’t always explained. To help you navigate this area of legislation more easily, here are some key terms from the law explained.

Personal data

This is the most important definition to know because if there is no personal data, the UK GDPR does not come into play at all.

“Personal data” has a very broad interpretation:

• It can either pinpoint directly who someone is (the law says it “identifies” them), or tell you indirectly who they are because of different information points combined (making them “identifiable”).
• It includes the obvious things like name and address, but also things like a job role and salary for one specific employee, without mentioning their name.
• What you hold in relation to a person may not be personal data to someone else holding the same information. Context is crucial when determining what personal data is and isn’t.

Data subject

This is a person whose personal data you are using. Only people (as opposed to companies) can have personal data, and only people who are alive have data protection rights. Data protection law does not apply to people who have passed away.

Data protection principles

These are the six key rules for how to process (or use) personal data properly. The principles cover using it lawfully, being open about why you need it; for a specified purpose; not collecting more than you need; and keeping it secure, to name a few.

Lawful basis for processing

These are the reasons allowing you to use personal data without breaching the law. This is closely related to one of the data protection principles, which is that you need to process data lawfully.

The UK GDPR lists six specific “bases” that you can rely on, ranging from consent of the person, to protecting their vital interests in a life-or-death situation. If you can’t identify one, you’re not allowed to collect personal data.

Controller

This is any person (for example, a sole trader), a company, a charity, or a voluntary club that collects personal data and decides why and how to use it. Some self-employed people may think the UK GDPR does not apply to them because we only hear of big corporations failing to comply with it, but this is not the case.

The controller bears the majority, if not all, of the responsibilities for data protection being done correctly, and also being able to show it - known as “accountability” in the law. They can get fines and bad publicity when things go wrong.

This is probably you, collecting data for various purposes, such as marketing or to fulfil your obligations as an employer. 

Processor

As in the controller definition, this can be anyone: the entrepreneur, SME, small charity or a conglomerate. The difference is that they don’t decide why personal data is processed, but they help the controller do it following their instructions to the letter.

Under the new rules (after the GDPR), a processor has more responsibilities and can now also be fined when they don’t follow the controller’s instructions.

A processor can be the company you use to host your website or deal with complaints you receive from the public.

ICO

Information Commissioner’s Office, or ICO, is a “supervisory authority” under the UK GDPR. The ICO are responsible for upholding information rights under data protection and other laws, such as the Freedom of Information Act 2001.

As the regulator in this sphere, the ICO have many responsibilities. You may get in contact with them to discuss:

• Someone’s complaint about how you responded to their data request.
• Paying your registration fee as a controller.
• A serious breach you committed that you have to tell them about.
• Your general personal data practices if they have a concern about companies in the same industry.

Why is it important to understand these definitions?

There are more definitions that are important in data protection practice, but the selected terms will help you navigate a simple activity: a person shares their personal data with you so that you can achieve your goals, and perhaps you ask a supplier to help in the process. This means that you:

• Understand that you have different responsibilities in relation to personal data compared to your suppliers
• Can self-help with resources available online that will inevitably use the legal terms from the law
• Will not get surprised if an individual contacts you with a complaint, quoting directly from the UK GDPR

To learn more about what the UK GDPR means for you or if you would like some training for your team, you are welcome to email hello@armchairdata.com and Sofia will tailor a solution for you. Armchair Data also offers a detailed review of your processes and consultations with focus, addressing your SME’s specific data protection questions.

If you want to contribute to the Chamber blog, contact us on hannah@brightonchamber.co.uk