The new UK Data Protection Act and the GDPR

Twenty years after the first major piece of UK legislation to deal with personal data the UK now has a new focal point for information law: the Data Protection Act (2018).  The Act is the UK’s implementation of the General Data Protection Regulation (GDPR), enshrining it in UK law, clarifying the national derogations and extending data protection laws into areas not covered by the GDPR.  You can find out more about the Data Protection Act via the Information Commissioner's Office (ICO), the information regulator in the UK.

The GDPR brings new rights for individuals and greater responsibilities for organisations that manage personal data.  You can see how the IFoA has responded to these changes via our Privacy Notice and associated policies.  If we process your personal data you can review how we manage your data, how we secure it and how to exercise any of your information rights under the Act.

The principles of the GDPR

There are seven principles under the GDPR:

• Lawfulness, fairness and transparency: the need to have a lawful basis for processing personal data and to be open with data subjects about how it will be used
• Purpose limitation: the requirement to specify at the outset the purpose of the processing and safeguards to prevent the use of the data for other purposes without consent
• Data minimisation: to ensure the data is adequate, relevant and limited to what is necessary for the processing
• Accuracy: that the data is up to date, and kept that way
• Storage limitation: the data should only be kept for as long as is necessary, and disposed of according to a set schedule
• Security: this requires that data is held in conditions where ‘appropriate technical and organisational measures’ are in place
• Accountability: this reflects the need to evidence compliance and take responsibility for processing data in line with the law

Individual rights

Separate provisions are made for the rights of the individual under the GDPR and the new Data Protection Act:

• The right to be informed: the provision of clear privacy information at the point of collection
• The right of access: the data subject's right to obtain a copy of any personal data held in a timely manner
• The right to rectification: the right to have data corrected or completed
• The right to erasure: the qualified right to have personal data permanently destroyed
• The right to restrict processing: the qualified right to have processing of personal data limited or stopped altogether
• The right to data portability: the right to have a copy of the data in a transferrable format
• The right to object: the qualified right to have data processing stopped in certain circumstances
• Rights in relation to automated decision making and profiling: rights around the use of profiiling and the right to challenge automated decision making

Resources and guidance

Following on from our risk alert at the start of 2018 further guidance was given in a specially commissioned event and webinar in London: 'Preparing for the GDPR'.  This session provided an overview of the key elements of the GDPR for an actuarial audience.  For guidance on specific matters relating to the position of data controllers or data processors where information is not available on the ICO website the ICO provide an enquiry service.

Research and further reading

As with any new legislation the GDPR and the 2018 Act will evolve as good practice, regulatory guidance and case law develop.  If you are interested in different perspectives on information privacy law you can sign up for updates from the ICO, or search for papers and articles on the GDPR and related matters.

Clubs and societies

As with the 1998 Act small clubs and societies will require to maintain compliance with the GDPR and the new Act.  Actuarial societies by their nature collect and store personal data and should take advantage of the guidance on the ICO website for small organisations.  The guidance around the 'Right to be informed' provides a template for a revised Privacy Notice, the means by which organisations communicate their approach to the collection and ongoing management of personal data as well as individuals rights in relation to it.  Societies should also be aware of the principles of the Act and the GDPR, in particular around purpose limitation, storage limitation and security.