For 20 years, the Data Protection Act (DPA) of 1998 served as the key UK legislation that regulated the processing – collection, storage, use, disclosure, and erasure – of personal data. However, with the recent implementation of EU-wide General Data Protection Regulation (GDPR), UK regulators have adopted a new version of DPA – the Data Protection Act of 2018.
Cominginto force on May 25, 2018, the Act incorporates the GDPR into law in the UK but also includes some provisions that supplement the EU regulation to clarify the national exemptions and extend the data protection laws to particular regions not covered by the GDPR. On a top-level perspective, the DPA 2018 is implemented to ensure that the GDPR standards will still stand in the post-Brexit UK.
Consisting of over 350 pages, the Act is lengthy legislation that attests toit’s significance and impact, especially to UK firms that process personal data. To help UK financial firms navigate the changes from DPA of 1998 to DPA of 2018, we outline in this post keyaspects of the 2018 version of the Act.
1. Data Subject RightsExemptions
The Act includes some exemptions to the rights data subjects have over their personal data under the GDPR. For instance, an organization will not be responsible for producing a copy of personal data in response to an access request if it could reveal information that could obstruct an official or legal inquiry, or that could put the national security or freedoms of others at risk.
2. New Offenses
Aside from the existing offenses, such as illegally obtaining personal data without the consent of the data controller, new offenses were also introduced in the DPA 2018. This includes knowingly or recklessly re-identifying personal data that was previously de-identifiedand altering or deleting personal data to prevent its disclosure to an individual who has exercised their data subject access right (Right to Access).
3. Information Commissioner’s Role
Under the DPA 2018, the Information Commissioner – the supervisory authority in the UK for the purposes of the Article 51 of GDPR – have been granted new enforcement powers, such as the power to serve information and assessment notices, and enter and audit premises in certain situations. The new version of the Act also sets out additional obligations of the Commissioner such as producing codes of practice.
4. Data Processing Obligations By Controllers and Processors
The DPA 2018 also includes a special provision (Schedule 57) which requires data controllers to implement appropriate technical and organizational measures which are designed to:
- Implement the data protection principles in an effective manner, and
- Integrate into the processing itself the safeguards necessary for that purpose.
A controller – or where personal data is processed on behalf of the controller by a processor – must also keep logs for the following processing operations through an automated processing system:
- Collection
- Alteration
- Consultation
- Disclosure (including transfers)
- Combination
- Erasure
According to Schedule 63(4) of the DPA 2018, this audit trail may be used to verify the organization’s lawful processing of data subject’s personal data, assist with self-monitoring initiatives by the controller or the processor, ensure the integrity and security of personal data, and to serve as evidence in case of criminal proceedings.
For UK financial companies who must also comply with text message archiving and voice call recording requirements of MiFID II alongside with the data protection standards set out by GDPR, the answer to satisfy these logging requirements is through the implementation of an enterprise archiving platform that has audit trail and administration control features.
An enterprise mobile archiving solutionthat can archive text messages and record voice calls in real-time can enable UK financial firms to establish a transparent data handling processing to satisfy the audit trail standards set out by the DPA 2018. Furthermore, a mobile archiving solution with integrated search, filter, and data retrieval capabilities can also help UK firms to respond to a request to access personal data faster and more effectively.
The TeleMessage Mobile Archiver is an enterprise messaging app effectively addresses compliance, regulatory, eDiscovery response requirements and reduces risk across the UK financial sector. TeleMessage records mobile content, including SMS, MMS, Calls, and Chats from corporate or BYOD mobile phones. Messages are securely and reliably retained within TeleMessage servers or forwarded to an archiving data storage vendor of your choice.
Our mobile archiving products securely capture content from mobile carriers and mobile devices for a variety of ownership models (BYOD, CYOD, and employer-issued). With our multiple archiving solutions, you can always find the right tools or blend for your requirements:
TeleMessage offers cross-carrier and international mobile text & calls archiving for corporate and BYOD phones. Contact us today to try our mobile archiving products.
