GDPR - Back to Basics

Terms and Definitions

Personal data: Information that can directly or indirectly identify a living human being.

Data subject: The individual that the personal data relates to.

Special category personal data: Previously known as sensitive personal data under the previous legislation, special category personal data is information which is particularly sensitive, the disclosure of which could cause harm to that individual, such as race or ethnicity, political opinions, trade union membership, etc.

Processing: Any activities you perform with personal data, such as collecting, sharing, sending, storing or even deleting it.

Data controller: The person or organisation which determines or decides the purposes and means of the data processing, i.e. what the personal data is used for and how it is used.

Data processor: The person or organisation which processes personal data on behalf of or under the instruction of the controller.

Cookies: A piece of software which is planted onto your machine when you visit certain websites.  It is relevant to the GDPR as it records a piece of personal data called the internet protocol (IP) address of the device that you used to access the website.

The Impact of Brexit

One of the legacies of Brexit is that, in the UK, there are two GDPRs; the original EU GDPR and the UK GDPR.  Currently, these two sets of legislation are essentially the same, and after Brexit the UK government brought the EU legislation into UK law via the Data Protection Act (DPA 2018).  The primary difference between the two GDPRs is that the UK GDPR regulates the use of personal data of individuals in the UK, by organisations both in the UK and around the world.  Meanwhile, the EU GDPR continues to govern the use of the personal data of individuals in the EU and around the world, including in the UK.

While the two Regulations are, currently, almost identical, the UK version may soon diverge from the EU GDPR with the introduction of the Data Protection and Digital Information Bill (DPDI), which is due to be passed sometime this summer.

The Seven Principles of the GDPR

There are 6 official principles in the GDPR, as well as an unofficial seventh, which provide the foundation of the GDPR.  

‍

‍

The first of these principles is that personal data must be processed lawfully, fairly and transparently.  To lawfully gather data subjects’ information, your organisation would need to justify the processing under one lawful basis of the 6 lawful grounds for processing data which are set out in the GDPR.  If, for example, an online retailer needed a customer’s name and postal address to sell and deliver goods to them, it could mainly rely on the lawful basis that it would need to process the data in order to enter into the contract with the customer for the sale of the items.

To comply with the ‘fairness’ element of this principle, the retailer would need to only process data in a way that the data subjects would reasonably expect.  Meanwhile, to comply with the transparency element, it would need to display a privacy notice on its website, explaining what personal data they’ll be collecting, the purposes for which it is being collected, and how long they’ll keep it for.

The second principle of the GDPR, purpose limitation, dictates that all processing you perform should be for a specific and explicit purpose, and data shouldn’t be further processed for a purpose incompatible with the original one.

Under the third principle, data minimisation, you should only collect the minimum amount of data necessary for the purposes of the processing. For an online retailer, collecting a customer’s name, postal and email address would be necessary to achieve the purpose of selling and delivering the goods to their house and informing the customer if there is a delay in delivery, but collecting the customer’s date of birth would usually be unnecessary for achieving the purpose and, therefore, a breach of the data minimisation principle.

The data you process should also be accurate and, where necessary, up to date, and these two elements constitute the fourth principle.  It is your responsibility as the data controller to ensure that the information they hold on an individual is accurate and up to date where applicable.

The storage limitation principle requires you to only store personal data for as long as is necessary to achieve the purposes for which it is being processed.  Meanwhile, the sixth principle, secure processing, dictates that information must be processed securely, using appropriate technical and organisational measures.

Alongside these 6 official principles the seventh, unofficial principle, outlined in Article 5, paragraph 2, is the accountability principle, which requires that all controllers demonstrate or prove, through evidence, their compliance with all the other principles.

Getting Started with GDPR Compliance

One of the first things you will need to understand is what personal data you have, where you got it from, who you share it with, and how long you keep it for.  This will include any employee data you hold and personal information about clients and prospective clients, such as sales leads.  As such, a first step that we would recommend on your GDPR compliance journey is to produce data flow maps of all of your processes that involve personal data, including any special category data.  Data flow maps will provide you with a handle on your processing, and you can either produce these maps by hand or use a data flow mapping software tool.

You can use the data flow maps you produce to build a record of processing activities (ROPA).  This is a document which the GDPR requires almost every organisation to produce and maintain.  It is in your organisation’s interest to do more than the bare minimum when building your ROPA, as it provides you with an opportunity to identify all the main data risks which might be raised by your processing.

If legally required to appoint a data protection officer (DPO), you should make sure the individual you appoint possesses the expert knowledge of data protection, law and practice that is expected of them by the Regulation.  

Key Data Protection Policies

An organisation-wide data protection policy

This is a data protection (DP) policy which should span your whole organisation instead of only applying to specific departments, and establish how your organsiation will manage its DP compliance. Your organisation-wide DP policy should be defined in a single document, while other aspects of your compliance will be covered in further policies, which we will detail below.

It’s important to note that corporate DP policies will vary greatly in length and complexity, and this is highly dependent on the types of personal data processing your organisation performs.  

A personal data retention policy

All organisations that process personal data need to have a retention policy which sets out how long the business is entitled or obliged to keep personal data for.  Usually, this policy will have a retention schedule attached, which breaks down all your organisation’s processing into separate processes and assigns to each a duration after which the data must be removed from your systems or, if in hardcopy form, securely disposed of.

These retention periods are determined either by the expiry of the purposes for which the data was collected, or statutory or other legal time limits.  Putting the data retention policy together is often one of the most difficult and time-consuming aspects of an organisation’s DP compliance programme, however is an extremely useful and valuable document.

If your organisation is ever subject to an investigation by the ICO, your retention policy is one of the key documents you will use to demonstrate your compliance under the accountability principle.

Information security policy

A personal data breach occurs when any of the key elements of the data’s security – its confidentiality, integrity, or availability (CIA), also known as the security triad – are compromised.  Rules that manage and control an organisation’s main data security risks are needed to ensure that the organisation’s vulnerability to information-critical incidents involving personal data breaches is either eliminated or kept to the minimum feasible level.  An information security (IS) policy is a document which addresses, at quite a high level, how an organisation will ensure that the CIA of its data is preserved.  In other words, the IS policy outlines the security measures, such as technical and organisational measures (TOMs), that your organisation will apply to all the information it holds, not just personal data.

Data subject rights policy

There are 8 rights granted by the GDPR to data subjects, including well-known rights such as the rights of subject access and erasure, also known as the right to be forgotten.  However, there are other, equally important but less well-known rights, such as the right to restriction, objection, data portability, etc.  The GDPR is primarily focused on protecting individuals’ privacy rights and freedoms, and under the Regulation, controllers have an obligation to facilitate the data subjects’ exercising of their rights, and to meet the fairly strict timeframes it defines for fulfilling data subjects’ requests.  

You must, therefore, have a policy in place which enables you to respond in an efficient and timely manner to any requests from data subjects to exercise their rights, and defines the rules, responsibilities and timescales for handling such requests lawfully.

Personal data breach management policy

The GDPR requires controllers to provide a prompt and detailed notification to the ICO of any breaches that the controller sustains which are likely to incur a high risk to individuals’ rights and freedoms, and to communicate to the affected data subjects themselves.  These information gathering and notification responsibilities which are imposed upon controllers by the GDPR necessitate the development of a personal data breach management policy.