As a practitioner of Data Protection, particularly in the private sector, it is crucial to understand and appreciate the unique responsibilities this role entails.
For instance, all data processing activities must comply with regulatory requirements, industry standards, and organizational policies. Take, for example, data security and privacy. Article 5 of the DPA Act 2020 (EU GDPR 2018) outlines seven key principles that must be adhered to when processing any data:
1. Key Principles of Data Protection
a. Lawfulness, Fairness, and TransparencyPersonal data must be processed lawfully, fairly, and transparently in relation to individuals. To process personal data, the consent of the data subject is required, and processing must comply with the law (lawfulness of processing conditions). For special categories of data, processing must also align with specific legal provisions, such as obligations under employment laws (Article 9).
Fairness emphasizes implementing protection procedures that uphold the rights of data subjects, which include the following:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights related to automated decision-making
Data should only be processed for specified, legitimate, and explicit purposes (Article 5(1)(b)).
c. Accuracy
Personal data must be accurate and up-to-date. Outdated or incorrect information is not fit for processing.
d. Data Minimization
Data collected and processed must be adequate, relevant, and limited to what is necessary.
e. Storage Limitation
Data must be stored in a manner that allows the identification of data subjects for no longer than necessary.
f. Integrity and Confidentiality
Protection measures must be implemented whenever data is processed to maintain its integrity and confidentiality.
g. Accountability
Those responsible for data processing must ensure compliance with these principles and demonstrate accountability at all levels.
2. Privacy and Data Protection
Privacy and data protection are intrinsically linked. Data subjects must-have tools and means to exercise their rights and protect their data from misuse. Clear responsibilities and accountabilities must be defined for all individuals involved in processing data, ensuring compliance with legal standards, and safeguarding personally identifiable information (PII) under Article 4(1).Organizations operating within Europe or the UK are required to comply with GDPR 2018 and/or the DPA Act 2020. In Nigeria, similar laws have been adopted verbatim.
Securing consent from data subjects before processing their data is mandatory, particularly in the private sector, where requirements may differ from public sector norms.
3. Consequences of Non-Compliance
One of the most striking aspects of the law is its strict enforcement. Non-compliance can lead to significant fines and reputational damage, making adherence to data protection regulations imperative.4. Essential Documentation for Compliance
To demonstrate compliance, organizations in the private sector must maintain the following documentation:- Personal Data Protection Policy (Article 24)
- Privacy Notice (Articles 12, 13)
- Employee Privacy Notice
- Data Retention Policy (Articles 5, 13, 17, 30)
- Data Retention Schedule (Article 30)
- Data Subject Consent Forms (Articles 6, 7, 9)
- Parental Consent Form (Article 8)
- DPIA Register (Data Protection Impact Assessment)
- Supplier Data Processing Agreement (Articles 28, 32, 82)
- Data Breach Response and Notification Procedure (Articles 4, 33, 34)
- Data Breach Register (Article 33)
- Data Breach Notification Form to the Supervisory Authority (ICO - Article 33)
- Data Breach Notification Form to Data Subjects (Article 34)
5. Additional Documentation Post-Gap Analysis
- Job Description for Data Protection Officer (Articles 37, 38, 39)
- Inventory of Processing Activities (RoPA) for organizations with over 250 employees
- Standard Contractual Clauses for the Transfer of Personal Data to Controllers (Article 46)
- Standard Contractual Clauses for the Transfer of Personal Data to Processors (Article 46)
Author:
Lord Ajibola OduSenior Data Governance Manager
LL.B, B.L, MBA (Durham), EU-GDPR-F, EU-GDPR-P (London), MSc (Northumberland) Cybersecurity (in view)
Public Governor, Durham and Darlington NHS Trust, UK
Contact Information
Email: [email protected]
Phone: +447570099745; +447484854269; +2348121985414
