This area of law is procedural and concerns the ways in which personal data is used by businesses, organisations and governments. It defines and regulates personal data, including the ways it is handled, shared and protected, and enforces legal consequences for breaches of data protection obligations, as well as the creation of personal data rights. Data protection can sometimes be merged with information rights beyond personal including freedom of information, data security and data privacy rights between private individuals, business, and the state.
Here is what Data Protection Law covers:
Cookies are small pieces of data containing information which are subsequently downloaded onto a user's device, for example when they browse a website. A cookie saves information from the browsing history of the user and allows the website to analyse what the user searches for and their preferences, to create a more personalised browsing experience for them.
A data breach is an intentional or accidental lapse of security which results in personal data being exposed to unknown or unauthorised persons. Companies generally have a protocol to follow when this happens, and security measures in place to mitigate these risks. Data protection regulations outline the consequences of data breaches, as well as the reporting requirements to the regulator and data subjects.
Data Compliance Formalities is the term used to define the common requirements and procedures that businesses and organisations must follow, to ensure the they are meeting the basic necessities of data protection laws and regulations. Businesses and organisations are obliged to follow these formalities in almost all circumstances, or else risk being unable to demonstrate compliance and face financial penalties.
A Data Impact Assessment is a process which seeks to identify potential risks and mitigations to those risks for projects that may pose a risk to personal data rights such as use of new technologies or processing capabilities.
Direct Marketing is the term used to describe a form of promotional communication between businesses, as well as between businesses and consumers. It concerns the rights and preventions to sending and receiving direct marketing communications through mediums such as emails, SMS, phone calls or targeted adverts.
Data Security is the term used to describe the protections put in place to prevent personal and sensitive data falling into the wrong hands. Encryption, authentification processes, password protection and data masking are examples of data security procedures. This is a fundamental requirement of personal data processing and used to deter and block unauthorised access or breaches.
Data sharing is the concept of making data available to other researchers and organisations, so that they may learn from it and analyse it. Sharing data between researchers encourages collaboration and can allow new findings to take place. Due to the priority of protecting individuals' personal data, there are formalities and procedures to be adhered to, such as the carrying out of data protection impact assessments or reviewing data adequacy before personal data is shared.
A data subject access request is a request that can be made by an individual whose data is processed or held, to seek access to the personal data a business holds about them. Data subjects are entitled to enquire into the business's data source, how they are using the data, and who they are providing it to.
A data subject claim is a grievance that can be brought in court by an identifiable individual whose personal data is used, processed, or retained by organisations and businesses. If an individual has reason to believe their data protection rights have been breached, or that they have suffered damage as a result of misuse or abuse of their data, they can apply to court for compensation from the data controller or processor at fault.
Data subject rights are rights given to identifiable individuals whose personal data is stored and used by companies and institutions. Rights include but are not limited to: the right to know what data is being collected about the individual, the right to be forgotten, and the right to withdraw consent at any time. Data subjects are also entitled to know if there has been a data breach where they have been put at risk.
Employee data is the information an employer collects and stores regarding their individual employees. Examples include basic identification data such as name, age, and address of each employee, as well as information like progress and performance levels at work.
The Information Commissioner governs the enforcement procedure for data protection laws. If any regulation or legislation is breached by a business, the commissioner has the power to impose large fines as both a sanction and a deterrent from future infringement. The Information Commissioner can also bring civil proceedings to search premises, enforce decisions, and prevent ongoing non-compliance.
Freedom of Information is a right of access provided to anyone, allowing them to request recorded information held by public authorities. Freedom of Information legislation governs what information must be made accessible by authorities, as well as how an individual can make an application. It includes strict time-limits, as well as exemptions and exclusions from disclosure to information requests.
A privacy notice is a document put on public display on an organisation's premises, which provides information to data subjects. The notice should detail the identity and contact information of the data controller, what data is used and how, and the company's legal basis for processing the data. Regulation requires businesses and organisations to display a privacy notice as part of the data protection formalities.
Sensitive data is personal information about a data subject which reveals intimate details about them, such as their ethnic origin, health records and genetic data, sexual orientation and political opinions.