A Basic Guide introducing you to Data Protection and GDPR
This article forms part of a collection to introduce you to what Data Protection and ‘GDPR’ are. It’s based upon staff training that we’ve provided for companies to make sure they had a basic working knowledge and were able to take the steps to protect individuals personal information in their care.
This guide takes you through the overview and basics of the seven key principles of the GDPR. If you have any questions or require consultation or guidance please don’t hesitate to contact me to discuss further.
What are the principles of the General Data Protection Regulation (GDPR)
The GDPR is made up of 260 pages, 11 chapters and 99 articles. Article 5 of the GDPR lays out the seven key principles.
Before we start, when we refer to ‘the end-user’ the individual whose personal data it is, we refer to them as the Data Subject
We refer to the company who collects this data as the Data Controller, and if they send your data to another company for processing (e.g. they use cloud software and store your information in there) that that company is known as a Data Processor. If a Data Controller doesn’t send your data elsewhere and processes it themselves then they can be considered both a Data Controller and a Data Processor.
LAWFULNESS, FAIRNESS AND TRANSPARENCY
(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
Organisations need to make sure that their collection of data including what they do it with it once they have it doesn’t break the law and that they aren’t hiding anything (such as how that data will be used) from Data Subjects.
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
Organisations should only collect personal data for a specific purpose, they need to clearly state what this purpose is (Showing it to the data subject prior to their providing of the data) and only keep the data they collect for as long as this purpose defines.
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
Organisations should only collect only the personal data of a data subject that they need for a specific process as listed (See #2). This protection is in place to prevent companies from abusing their position and invading the privacy of its data subjects as well as minimising the risk should there be a data breach in that only the minimum amount of data that was ever needed would have been lost. The benefit to Data Controllers and Processors is that because they only hold the minimum amount of data required for their purpose it makes it much easier for them to keep that data accurate and up-to-date.
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
Companies must take every reasonable step to ensure that the personal data that they store is accurate and have steps in place allow data to be rectified, inaccurate or incomplete.
Data Subjects have the right to request that any information stored about that them is inaccurate or incomplete has to be erased in 30 days.
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
Data Controllers/Processors must delete personal data when it’s no longer needed. This means that companies can’t hang onto your information forever, just in-case they need it, This is great protection for Data subjects in event of a breach for a company they haven’t used in many years. However, this is a hard one to define and one that your company will need to write within policy. It could be that as an eCommerce business that you require to store their information for as long as they’re a customer, or that you might need to store it for as long as you require it for tax purposes. As long as you can reasonably defend under the purpose given for its storage then it’s legal
INTEGRITY AND CONFIDENTIALITY
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
The language behind this principle and article is quite vague to ensure that it’s able to remain flexible as the best practices are constantly changing and improving day on day.
This means that your organisation must take steps and ensure that the data is stored in a secure way (such as encryption or pseudonymising personal data where possible), that access to the data is limited to personal that require it (and only for as long as they need it) as well as ensuring that your staff are trained to help prevent the general misuse of the data such as accidental loss, destruction or damage.
Sending an email to the wrong person in your company, where that email contains data subjects personally identifiable information (PII) is considered a breach of this article. When we come to talk about data breaches, I always prefer to refer to them as ‘Misuse of Data’ as breach always make it sound like your organisation has been hacked and a third party is at fault.
Staff training is so very important – If you have a Data Breach and are investigated by the ICO, who do you think they’re more likely to be lenient on, the company the trained its staff or the company that was praying their staff new the basics themselves.
“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
This is a big change from the previous UK 1998 Data Protection act as previously companies who had a third party process the data on their behalf, and that third party had a breach – they would be the ones responsible. Now, this Accountability principle means that you need to make sure that the entire chain of Controllers and Processor who you let handle your data subjects information are taking all of the necessary steps to abide by the GDPR and if they have a breach then while they will take their share of the blame – The buck stops with you and your organisation can be fined.
This means you need to have a list of all of the third-parties and data processors you use and you need to ensure that they only have access to the minimum data needed and that they’re doing so securely.
On top of this, it means that you as an organisation need to be able to demonstrate your compliance, You need to have the appropriate technical and organisational measures in place (including being able to evidence that you’ve trained your staff), the contracts with your customers/clients and staff all need to meet GDPR requirements and every action you do within the company that handles data must be ‘Privacy first’ or followed ‘Privacy by design’ guidance (Privacy and protection of the data can’t be an afterthought)
Finally, you as an organisation might need to appoint a Data Protection Officer (DPO) as evidence of this accountability. This is only required under three circumstances;
- Your Organisation is a public authority or body.
- Your Organisation’s core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale.
- Your organise’s core activities consist of large-scale processing of special categories of data (that is data that is sensitive such as a persons health information, their religion, race, sexual orientation etc).
In the UK It’s important to note from this that your company can be any physical size, starting from just a single employee, It’s also important to note that there is no definition of what a ‘large scale’ is and so is open to interpretation.
Even if your company isn’t required to have a DPO from the above circumstances the European Data Protection Board highly recommends that you appoint one to provide the best possible protection for data subjects.