Doesn’t it feel like the best days of the year all come at once? Christmas, New Year, Data Protection Day…

Wait, you didn’t know 28 January is Data Protection Day?

Settle down and let us tell you a story.

Once upon a time, the Council of Europe produced a data protection convention and called it the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. This document is better known as Convention 108.

Let's be honest, you haven’t heard of Convention 108 either, have you? Don’t worry, neither has anyone besides data protection lawyers – and probably not many of those either.

Convention 108 opened for signature on 28 January 1981 – and with that it became the first legally binding international document dealing with data protection.

On 26 April 2006, the Council of Europe determined that Data Protection Day would be celebrated each year on 28 January. This has become a global celebration, which is now called either Data Protection Day or Data Privacy Day (because it would be too simple to just have one name). We're calling it Data Protection Day because that was the original name, and privacy (although very important) is only part of what data protection is about.

The purpose of Data Protection Day is to raise awareness about individuals’ rights to the protection of their personal data and privacy.

As data protection nerds, of course, we try to do this every day – although if we wrote a blog post about it every day, our marketing team might have a word or two to say!

Back to basics: What is Personal Data?

Personal data is information relating to an identified or identifiable living human.

Identifiable means that the person could be recognised from that information, either on its own, or combined with other available information.  This can be all sorts of information, from your name and contact details to your IP address, from information about the sort of products you buy online to your opinions about your colleagues.

Information “relates to” the person if it tells you something about them. This could be information as basic as their name and place of work, or their email address, however, this doesn’t mean that every document that includes their name and place of work or their email address will be personal information. Using a business email as an example, the footer with the person’s details in it will be personal data, but the content of an email saying “please find your invoice attached” will most likely not be.  If, on the other hand, the email says “I’ve been off sick for the past 2 weeks”, this would be personal data.

There are additional protections around the use of “special category data” (sometimes known as “sensitive personal data”) – that’s information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union membership, information concerning health, sex life or sexual orientation, and genetic and biometric data.

Similar (but slightly different) rules to those for special category data apply to personal data about criminal allegations, proceedings or convictions.

Ok, so what does the law say?

Data protection in the UK is subject to the UK GDPR – that’s our own post-Brexit version of the EU’s General Data Protection Regulation (GDPR), which is currently almost exactly the same as the original – and the Data Protection Act 2018.

These apply to doing anything with personal data which is wholly or partly automated and/or forms part of a filing system (or is intended to) – unless you are acting as an individual in the course of purely personal or household activity. Yes, that means you can’t sue your mum for posting baby photos of you on Facebook. Sorry!

We talk about the scope of what is personal or household activity in our blog post on domestic CCTV – and you might be surprised.

What rights do individuals have under the UK GDPR?

Individuals have a number of rights under the UK GDPR and Data Protection Act in relation to their personal data:

1. The right to be informed about what information someone has about you and what they are doing with it.
2. The right of access to a copy of the personal data held about you, as well as other supplementary information.
3. The right to rectification of inaccurate or incomplete personal data.
4. The right to erasure of personal data (sometimes called the “right to be forgotten”).
5. The right to restrict processing of your personal data, e.g. while decisions are being made about whether it should be rectified or deleted.
6. The right to data portability, which allows individuals to obtain their personal data from one service provider and require it to be moved/copied/transferred to another.
7. The right to object to processing of your personal data, e.g. for direct marketing purposes.
8. Rights relating to automated decision making, including profiling, where decisions made solely by automated means (i.e. without human involvement) would have legal or similarly significant effects on you.

Many of these rights are not absolute (which means that an organisation can refuse to carry out your request in some circumstances), and there are exceptions to them depending on the circumstances.

Why should I care about my data protection rights?

As an individual, it is important to know what your rights are, and what you can do to ensure your information is being used responsibly.

As a business, you are likely to be dealing with personal data in all sorts of contexts, from your employees to your customers, and particularly your marketing activities. With the possibility of massive fines and bad publicity, if you get it wrong, you want to make sure you are dealing with this information properly.

Where can I find out more about data protection?

We use our data protection superpowers to help businesses put (and maintain) the necessary protections in place when they deal with personal data, as well as to help put out the fires if things go wrong.

We’re the experts in getting data on your good side. Find out more about our data protection offering here.