Sunday 28th January 2024 marks the 43rd anniversary of the opening for signature in 1981 of Council of Europe Convention 108, the Convention for the Protection of Individuals with regard to the Processing of Personal Data, and the 18th year of celebrating Data Protection Day - or Data Protection Day as it is known around the world having been adopted more widely.

The object and purpose of the Convention is stated at Article 1 to be “to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him ("data protection")”. While the UK continues to identify the right to private and family life as a fundamental right following the Brexit freedoms afforded to the UK and the subsequent amendments to the GDPR to create the UK GDPR, after the enactment of The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 the UK no longer interprets data protection law and the concept of fundamental rights by reference to the Charter of Fundamental Rights of the European Union, but rather by reference to the European Convention on Human Rights as incorporated into UK law by the Human Rights Act 1998. Unlike the Charter, the Convention doesn’t identify the right to protection of personal data as a separate and distinct right, although decisions of the European Court of Human Rights have recognised that data protection rights can fall within the scope of Article 8 of the Convention in appropriate circumstances.

Subsequently adopted by the US as National Data Privacy Day, the US National Cybersecurity Alliance has themed Data Privacy Day 2024 ‘Take Control of Your Data’.

For data subjects, while (contrary to some over-simplified messaging) the GDPR and UK GDPR don’t afford individuals an unfettered right of absolute control over their personal data, they do provide a range of rights, in particular:

• To be notified about the fact and nature of the processing of personal data by the data controller when they collect it directly from the data subject or within a month of them collecting it from a third party unless it is impossible or would involve disproportionate effort;

• The right to be told whether a data controller is using your information about you and, if so to be provided with various information about that use and a copy of personal data being processed;

• To have any personal data processed by a data controller that is either inaccurate or incomplete corrected or supplemented;

• To have any personal data which is no longer necessary for the controller’s purpose, in respect of which the data subject has withdrawn their consent to processing where this was the relevant lawful basis for processing and there is no other available to the controller, which has been processed unlawfully, which are required to be erased by law, or were collected from a child in connection with information society services, deleted unless an exemption applies and to have third parties who have received the personal data to be notified of the deletion;

• To restrict the access to and use of personal data where the data subject contests its accuracy or objects to processing pending consideration, processing is unlawful but the data subject objects to its erasure or the personal data is no longer required by the controller other than for legal reasons, and to have third parties who have received the personal data to be notified of the restriction;

• To be provided back with a copy of personal data provided by the data subject to the data controller where the processing was based on consent or a contract between the data subject and controller and the processing was based on automated means;

• To object to processing relying as a lawful basis on the performance of a task carried out in the public interest or the legitimate interests of the controller or a third party if the controller lacks a compelling reason to continue, and to processing for direct marketing purposes;

• To not be subjected to decisions based solely on automated processing where this produces legal or similarly significant effects;

• To lodge a complaint with the relevant supervisory authority, which in the UK is the Information Commissioner’s Office;

• To bring proceedings against controllers or processors and against the relevant supervisory authority.

These rights apply to children as much as adults, albeit that there are specific rules as to how children can exercise those rights or their rights can be exercised on their behalf.

One of the best ways that individuals can take control of their personal data is to review the settings on their devices, from phones to computers to televisions and smart home devices, most people have little understanding of the personal information that it collected and may be collated and used to profile people, and the implications of such information. How many apps on your phone have access to your location data? When was the last time you read a privacy notice? How many times have you clicked ‘accept all’ to cookies, enabling companies around the world to target you with ‘more relevant’ advertising? They do this by building a profile about you, your interests, and your likely purchases using data about your device, location, online browsing and who you know. Research by the Information Commissioner’s Office published in 2019 revealed that while 63% of those surveyed believed that the adtech ecosystem was acceptable before being informed how it worked, only 36% thought so aftewards. The same principles apply to apps; when products are ‘free’, you and your personal data are the product. Its value is now becoming more apparent to consumers, as companies offer reduced loyalty card pricing in return for being able to collect data on and analyse your purchases.

While it is always tempting to press ‘accept all’ when setting up a device or attempting to use a product or service, and consumers are often led to take such action through so-called ‘dark patterns’, doing so is not without its implications. While you may think that you don’t particularly care whether a retailer knows your purchase history, data analytics that enable retailers to know if a woman is pregnant – before she has told them – from her purchases are not only potentially intrusive but in some countries could expose individuals to criminal investigation or prosecution.

But not just applicable to data subjects, data controllers can also take steps to ensure that they have control of the personal data in their care. Data Protection Day presents an opportunity to increase awareness within your organisation of the importance of protecting personal data, and/or to refresh the annual data protection training for staff. For internal data protection, information management and/or legal teams, Data Protection Day can be used as a prompt to take stock of the organisation’s current data protection risk profile, reviewing the risk associated with suppliers/vendors, identifying whether to exercise any audit rights that are routinely incorporated into data processing agreements (albeit rarely used), and reviewing security arrangements. It can be useful to engage an external organisation to conduct such reviews, which can assist in benchmarking. It can also be a good time to ensure that data protection is on your organisation’s leadership agenda, reviewing the year, identifying forthcoming opportunities (such as those resented by the Data Protection and Digital Information Bill) and emerging risks.

28th January now offers a global opportunity to reflect on the protections afforded to personal data, their efficacy and whether they remain fit for purpose as we enter the age of artificial intelligence.

For more tips on how you can use Data Protection Day as a catalyst to raise awareness of and secure engagement with your organisation’s data protection programme, read about our previous suggestions for Data Protection Day.

Find out more about our data protection and data privacy services.