In 36 days, on December 1, 2023, the transition period of the Data Protection Act (the “Act”) will have ended, and certain persons (entities and individuals) will be required to comply with it, which will include registering with the Information Commissioner (the “Commissioner”). While this article is meant to give brief insight into the Act, and some key points, it is also meant to serve as a timely reminder that, the rollout of the enforcement of the Act is likely to be festive!
Registration with the Information Commissioner, and key terms
Simply put, anyone who processes or collects the personal data of others (“Processors”), will be required to register with the Information Commissioner. It is important that we get to know the key terms under the Act.
Personal data
Personal data is defined under the Act as information (however stored) relating to a living individual, or an individual who has been deceased for less than 30 years, who can be identified from that information alone or from that information and other information in the possession of, or likely to come into the possession of, the data controller, and includes any expression of opinion about that individual and any indication of the intentions of the data controller or any other person in respect of that individual. Personal data, therefore, includes information such as a name, address, or email address.
Processing of data
Data processing in relation to personal data relates to obtaining, recording or storing the information or personal data, or carrying out any operation or set of operations (whether or not by automated means) on the information or data, including— (a) organisation, adaptation or alteration of the information or data; (b) retrieving, consulting or using the information or data; (c) disclosing the information or data by transmitting, disseminating or otherwise making it available; or (d) aligning, combining, blocking, erasing or destroying the information or data, or rendering the data anonymous.
It is easy to see then, that almost every entity or person that comes into contact with the personal information of clients, customers, employees, etc (“Data Subjects”) and processes that information for various purposes, will be caught by the Act.
In registering with the Information Commissioner, Processors would be required to register “registration particulars” that will give the Commissioner details of the Processor, a description of the personal data being processed, recipient(s), if any, of the data, and reason/purpose for which the personal data is being processed. Additionally, Processors will be required to pay an annual registration fee.
Appointing a Data Protection Officer
As the Act comes into full force, Processors will be required to appoint a Data Protection Officer (“DPO”). The DPO must be impartial, and will be tasked with the responsibilities of monitoring and ensuring that the Processor complies with the Act. This person shall also be responsible for reporting to the Commissioner, any breaches of the Act. While the Act, does not specifically state the qualifications of a DPO, it has been suggested that in a company, for example, this person can be an employee, but should be at management level, and must be in a position to act independently, and avoid conflicts of interest between the DPO duties and other duties to the company. The Processor will be required to inform the Commissioner who has been appointed as the DPO, and provide the DPO’s contact details.
Annual Impact Assessment
Annually, Processors will be required to file a Data Protection Impact Assessment with the Commissioner. This document will identify all the personal data in custody or control of the Processor, and should be utilised to identify, assess, and minimise potential risks which may arise from the processing of personal data.
Getting ready: Implementing Data Protection Policies and Procedures
Processors must not only register with the Commissioner, but will have to have data protection policies in place to ensure compliance with the Act. These policies must be clear and robust, and must have mechanisms to ensure compliance. In companies, the data protection procedures must be accessible to all members of staff, and training should be conducted to ensure that the policies and procedures are understood, since the failure of even one individual could lead to widespread implications for the entire organisation.
Processors of personal data should also ensure that Data Subjects are aware of the data protection policies and procedures in place, and how their data will be processed and used, and obtain the informed consent of such persons.
The Act imposes dire consequences for failure to comply, which include, for example in the case of a company, a fine on the annual gross income of its worldwide operations, personal liability for the officers where they actively fail to comply or where negligence is established, and restitution for any person who has suffered damage as a result of some failure in compliance with the Act.
If steps have not yet been taken by Processors to ensure compliance with the Act, now is the time to get started, and proceed with haste. The deadline for registration is just around the corner, and this may require a Processor to identify and collate what could be a significant amount of data, in order to relay that information to the Commissioner during the registration process. It will also be necessary for a Processor to keep a good record of the personal data processed, and ensure that there is a DPO in place to monitor and report on compliance with the Act. The Processor must be aware of any ongoing obligations, and put in place all such policies, and practices to ensure compliance, and avoid any unwanted and severe consequences. Data Processors are in for a December to remember!
Lisa Rhooms is the Managing Partner at Grant, Henry & Rhooms, and the head of the firm’s Commercial Law Department. She may be contacted at lisa@ghrlegal.com or www.ghrlegal.com. This article is for general information purposes only and does not constitute legal advice. Should you wish to seek legal advice, you may schedule a free consultation with our offices.