When the General Data Protection Regulation (GDPR) came into force earlier this year, many companies made changes to their policies and processes to become compliant.

In this video, we explain the importance of remebering the Data Protection Act 2018, as well as GDPR, when processing special categories of personal data.


Welcome to Gowling WLG's data protection series, my name is Rocio de la Cruz, Principal Associate at the firm and a Data Protection expert. In this part one, I will explain the importance of looking at the UK Data Protection Act 2018 to make sure that you use personal data without breaching the law.

Since you have been implementing the General Data Protection Regulation (GDPR) in your business you know that:

To process any personal data you need to meet one of the conditions in article 6 of the GDPR. For example, that you have a Legitimate Interest

in using the personal data for marketing purposes, which is not overridden by peoples' interests. And, to process a special category of data for example data concerning health you need to meet one of the Article 6 conditions AND one of the derogations in article 9 of the GDPR.

So, to process data for example concerning your employees' health conditions, looking at the GDPR, you rely on the fact that this is

necessary to comply with a legal obligation (article 6 conditions), and necessary to perform an obligation in the field of employment which is an article 9 derogation.

However, you are at risk if you only look at GDPR. These articles must be considered along with the Data Protection Act 2018 because the Data Protection Act not only includes additional grounds for processing, but also implements additional requirements that you need to put in place. And this is very important if you are processing special categories of data or criminal offence data. Some of the derogations in article 9 are subject to "authorisation by Union or Member State Law". These are where the processing is necessary:

  • In the field of employment, social security or social protection law
  • For reasons of substantial public interest
  • For preventive or occupational medicine, health or social care
  • For reasons of public interest in the area of public health, AND,
  • For archiving purposes in the public interest, scientific or historical research or statistical purposes.

So, if you rely on one of these conditions, the good news is that, as expected, all of them have been authorised by the DPA. However this is subject to specific conditions applicable to each of them. So you need to make sure that you meet all the requirements.

The most relevant points are:

That some conditions are detailed and narrowed down, for example, you will not have total discretion on deciding what is, and what is not, in the substantial public interest because, to rely on substantial public interest condition, you need to meet one of the "substantial public interest conditions" listed in the Data Protection Act and, for most of these conditions you need to put in place an appropriate policy document and also additional safeguards.

The appropriate policy document is not the general data protection policy you may have implemented but a standalone document explaining how you comply with the data protection principles and what your retention and deletion policies are when processing THAT particular data, for that special condition that you are relying on.

On the other hand, the additional safeguards require you to keep the policy document for a period of six months after the processing finishes, and review, update and have it available during this time.

You also need to include some information in your records of processing activities concerning the processing of this data, including:

  • What condition under the Data Protection Act is met?
  • What general condition of article 6 of GDPR is addressed?
  • And whether that personal data is retained or deleted according to that standalone policy that you have put in place.

In addition, there are particular requirements for specific conditions. For example, to rely on the research condition in order to process special categories of personal data for research purposes, you need to:

  • Have in place measures to protect individuals' rights
  • Not process the data in a way that may cause damage or distress
  • Not use the data to take decisions on a particular individual (save for some exemptions) which are stated in section 19 of the Data Protection Act
  • Demonstrate that the purposes of the research is in the public interest, otherwise it is more likely that you need consent in order to process this special category of data for research purposes.

You can find more details in sections 10, 11, and 19, and Schedule 1 of the Data Protection Act. Whichever condition you rely on don't forget

To be transparent and always find the easiest and clearest way to explain what you do with people's data.

We will be back soon with more Data Protection Tips. If you want to know more about this topic, the impact on Brexit or data breach notification don't miss our IT Masterclass Webinar that will be available on our website soon.

Thank you, and have a good day.

Read the original article on GowlingWLG.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.