What is the UK Data Protection Act 2018?
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR), and regulates how personal information is used by organisations, businesses, or the government.
Everyone responsible for using and processing personal data must follow strict guidelines called ‘data protection principles’.
What are the data protection principles?
The data must be:
What is considered sensitive information?
With the Data Protection Act 2018, there is stronger legal protection for more sensitive information, such as race, ethnic background, political opinions, religious beliefs, trade union membership, genetics, biometrics (where used for identification), health, sex life, or orientation. There are separate safeguards for personal data relating to criminal convictions and offences.
What are individuals’ rights?
Under the Data Protection Act 2018, individuals have the right to find out what information the government and other organisations store about them. These rights include the right to be informed about how your data is being used, access personal data, have incorrect data updated, have data erased, stop or restrict the processing of your data, data portability (allowing you to get and reuse your data for different services), and object to how your data is processed in certain circumstances.
Individuals also have rights when an organisation is using their personal data for automated decision-making processes (without human involvement) and profiling (for example, to predict your behaviour or interests).
What is the difference between UK Protection Act and the EU GDPR?
The General Data Protection Regulation (GDPR) is a regulation enacted by the European Union (EU) to protect the privacy and personal data of EU citizens. It applies to all EU member states and any organization worldwide that processes the personal data of EU citizens. The GDPR provides individuals with several rights, including the right to access their data, correct inaccuracies, erase data, restrict processing, and object to processing. It also includes provisions for data portability and the right to reject automated decision-making. The GDPR is known for its strict penalties for non-compliance, which can reach up to 4% of a company’s global annual turnover or €20 million, whichever is higher.
The Data Protection Act 2018 is the UK’s national law that implements and supplements the GDPR. It applies to all organizations operating within the UK and any organization worldwide that processes the personal data of UK residents. While the Data Protection Act 2018 incorporates the provisions of the GDPR, it also includes additional provisions and exceptions tailored to the UK context. For example, it includes specific provisions on processing data for law enforcement purposes, intelligence services, and immigration control. It also sets the UK’s data protection authority, the Information Commissioner’s Office (ICO), and outlines the penalties for non-compliance, which can reach up to £17.5 million or 4% of a company’s global annual turnover, whichever is higher.
Concentric AI’s solution can help organisations maintain compliance with the UK’s Data Protection Act in several ways, very much like we help with other privacy compliance regulations.
Discover and Identify Data: Concentric AI uses advanced machine learning technologies to autonomously scan and categorize data, including personal and sensitive data. It identifies where the data is stored (in the cloud, on premises, structured or unstructured), learns how it’s used, and determines whether it’s at risk. This helps organisations understand what personal information they hold, assess the risk associated with processing personal information, and respond to data subject requests, all of which are crucial for complying with the Data Protection Act.
Monitor and Classify Data for Risk: Concentric AI allows organisations to continuously monitor how data is being used, who it is being shared with, and who accessed it. This helps to quickly and accurately pinpoint risk from inappropriate permissioning, risky sharing, and unauthorized access. Data classification is an important step in achieving compliance because it enables companies to identify, categorize, and organize their data according to its level of sensitivity and importance.
Remediate Data Risk Issues: Concentric AI’s Risk Distance™ analysis uses deep learning to compare each data element with baseline security practices used by similar data to identify risk without rules and policies. It can remediate these access risks as they happen, whether it’s fixing access control issues or permissions, disabling sensitive file sharing with a third party, or blocking an attachment on a messaging service.
Data Security Posture Management: Concentric AI helps organizations manage their data security posture by providing a content-based, categorized view of their data and a risk rating for all data that have been exposed. This allows data security, privacy, and compliance teams to easily find and correct inappropriate sharing, unauthorized access, or wrong entitlements of sensitive data to efficiently prevent data loss.
Working with the Concentric AI solution, organizations can ensure they are compliant with the UK’s Data Protection Act, protecting sensitive data without upfront policies, and without requiring large teams to operationalize.
Our customers are successfully using our product in production for petabytes of data for:
Book a demo today to see firsthand — with your own data — how Concentric’s solution can quickly and easily be deployed to keep up with regulations like the UK Data Protection Act in your organisation.