Question

Question 2 Information Security Management involves the consideration of various laws and legal constraints. One on hand, businesses must be compliant with laws, and therefore act as a constraint on activity. On the other hand, laws act as a form of control against attacks. a) The EU's General Data Protection Regulation (GDPR) came into force in UK in May 2018. At the same time in the UK the Data Protection Act 2018 (DPA) replaced the Data Protection Act 1998 i) Outline the six data protection principles of GDPR. [6 Marks] ii) Explain the relationship between GDPR and DPA 2018. Why are two pieces of legislation necessary? [4 marks]

Answer 1

The Eu's General Data Protection Regulation (GDPR) is Europe's new framework for data protection and privacy laws. It came into effect on 25 May 2018 across all European Union member countries, including the UK. The GDPR covers personal data, including the category of sensitive personal data .

i) Six principles for processing of personal data

• Lawfulness, fairness and transparency - you must process personal data lawfully, fairly and in a transparent manner in relation to the data subject.
• Purpose limitation - you must only collect personal data for a specific, explicit and legitimate purpose. You must clearly state what this purpose is, and only collect data for as long as necessary to complete that purpose.
• Data minimization - you must ensure that personal data you process is adequate, relevant and limited to what is necessary in relation to your processing purpose.
• Accuracy - you must take every reasonable step to update or remove data that is inaccurate or incomplete. Individuals have the right to request that you erase or rectify erroneous data that relates to them, and you must do so within a month.
• Storage limitation - You must delete personal data when you no longer need it. The timescales in most cases aren't set. They will depend on your business’ circumstances and the reasons why you collect this data.
• Integrity and confidentiality - You must keep personal data safe and protected against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

ii) The principles are broadly similar to the principles in the Data Protection Act 1998 (the 1998 Act). It sits alongside the GDPR, and tailors how the GDPR applies in the UK .

The Data Protection Act 2018 (" DPA 2018") was passed on 23 May 2018 and replaces the Data Protection Act 1998.

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) have some key differences which may impact the UK’s relationship with the EU, post-Brexit. The GDPR became enforceable on 25thMay 2018. As a European regulation, it is directly effective in EU Member States, meaning that all UK organizations must comply with it.

The DPA is wider in scope than the GDPR, covering

• Criminal sanctions and fines for GDPR infringements (for example the introduction of an unlimited fine for the new offence of intentionally or recklessly re-identifying individuals from anonymized data).
• Processing relating to areas outside the scope of EU law (and the GDPR) such as national security and immigration.
• Transposition of the EU Data Protection Directive 2016/680 (Law Enforcement Directive) into UK law.
• The role and powers of the UK’s independent authority (the ICO) in upholding information rights and freedoms.

Finally, whilst the GDPR is governed by the Court of Justice of the European Union (CJEU), when the UK leaves the EU, the DPA will be governed solely by the UK justice system, leaving the CJEU out in the cold.