Search Legislation

Data Protection Act 2018

What Version

 Help about what version

Advanced Features

 Help about advanced features

Status:

This version of this chapter contains provisions that are prospective. Help about Status

Close

Status

The term provision is used to describe a definable element in a piece of legislation that has legislative effect – such as a Part, Chapter or section. A version of a provision is prospective either:

  1. where the provision (Part, Chapter or section) has never come into force or;
  2. where the text of the provision is subject to change, but no date has yet been appointed by the appropriate person or body for those changes to come into force.

Commencement Orders listed in the ‘Changes to Legislation’ box as not yet applied may bring this prospective version into force.

Changes to legislation:

There are currently no known outstanding effects for the Data Protection Act 2018, CHAPTER 4. Help about Changes to Legislation

Close

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.

Prospective

CHAPTER 4E+W+S+N.I.Controller and processor

OverviewE+W+S+N.I.

101OverviewE+W+S+N.I.

This Chapter sets out—

(a)the general obligations of controllers and processors (see sections 102 to 106);

(b)specific obligations of controllers and processors with respect to security (see section 107);

(c)specific obligations of controllers and processors with respect to personal data breaches (see section 108).

General obligationsE+W+S+N.I.

102General obligations of the controllerE+W+S+N.I.

Each controller must implement appropriate measures—

(a)to ensure, and

(b)to be able to demonstrate, in particular to the Commissioner,

that the processing of personal data complies with the requirements of this Part.

103Data protection by designE+W+S+N.I.

(1)Where a controller proposes that a particular type of processing of personal data be carried out by or on behalf of the controller, the controller must, prior to the processing, consider the impact of the proposed processing on the rights and freedoms of data subjects.

(2)A controller must implement appropriate technical and organisational measures which are designed to ensure that—

(a)the data protection principles are implemented, and

(b)risks to the rights and freedoms of data subjects are minimised.

104Joint controllersE+W+S+N.I.

(1)Where two or more intelligence services jointly determine the purposes and means of processing personal data, they are joint controllers for the purposes of this Part.

(2)Joint controllers must, in a transparent manner, determine their respective responsibilities for compliance with this Part by means of an arrangement between them, except to the extent that those responsibilities are determined under or by virtue of an enactment.

(3)The arrangement must designate the controller which is to be the contact point for data subjects.

105ProcessorsE+W+S+N.I.

(1)This section applies to the use by a controller of a processor to carry out processing of personal data on behalf of the controller.

(2)The controller may use only a processor who undertakes—

(a)to implement appropriate measures that are sufficient to secure that the processing complies with this Part;

(b)to provide to the controller such information as is necessary for demonstrating that the processing complies with this Part.

(3)If a processor determines, in breach of this Part, the purposes and means of processing, the processor is to be treated for the purposes of this Part as a controller in respect of that processing.

106Processing under the authority of the controller or processorE+W+S+N.I.

A processor, and any person acting under the authority of a controller or processor, who has access to personal data may not process the data except—

(a)on instructions from the controller, or

(b)to comply with a legal obligation.

Obligations relating to securityE+W+S+N.I.

107Security of processingE+W+S+N.I.

(1)Each controller and each processor must implement security measures appropriate to the risks arising from the processing of personal data.

(2)In the case of automated processing, each controller and each processor must, following an evaluation of the risks, implement measures designed to—

(a)prevent unauthorised processing or unauthorised interference with the systems used in connection with it,

(b)ensure that it is possible to establish the precise details of any processing that takes place,

(c)ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and

(d)ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions.

Obligations relating to personal data breachesE+W+S+N.I.

108Communication of a personal data breachE+W+S+N.I.

(1)If a controller becomes aware of a serious personal data breach in relation to personal data for which the controller is responsible, the controller must notify the Commissioner of the breach without undue delay.

(2)Where the notification to the Commissioner is not made within 72 hours, the notification must be accompanied by reasons for the delay.

(3)Subject to subsection (4), the notification must include—

(a)a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b)the name and contact details of the contact point from whom more information can be obtained;

(c)a description of the likely consequences of the personal data breach;

(d)a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

(4)Where and to the extent that it is not possible to provide all the information mentioned in subsection (3) at the same time, the information may be provided in phases without undue further delay.

(5)If a processor becomes aware of a personal data breach (in relation to data processed by the processor), the processor must notify the controller without undue delay.

(6)Subsection (1) does not apply in relation to a personal data breach if the breach also constitutes a relevant error within the meaning given by section 231(9) of the Investigatory Powers Act 2016.

(7)For the purposes of this section, a personal data breach is serious if the breach seriously interferes with the rights and freedoms of a data subject.

Back to top

Options/Help

Print Options

You have chosen to open The Whole Act

The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Act as a PDF

The Whole Act you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open The Whole Act without Schedules

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Act without Schedules as a PDF

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open the Whole Act

The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open the Whole Act without Schedules

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open Schedules only

The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

Close

Legislation is available in different versions:

Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.

Original (As Enacted or Made):The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.

Close

See additional information alongside the content

Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.

Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.

Close

Opening Options

Different options to open legislation in order to view more content on screen at once

Close

Explanatory Notes

Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.

Close

More Resources

Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • correction slips
  • links to related legislation and further information resources
Close

More Resources

Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • correction slips

Click 'View More' or select 'More Resources' tab for additional information including:

  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • links to related legislation and further information resources