GDPR Blog Week 9: Data Principles
Those personnel who already have data privacy responsibilities within their organisation will be aware that there were certain data protection principles under the Data Protection Act 1998 (or “DPA”) that were required to be followed. The GDPR, which will become enforceable on 25th May, doesn’t do a great deal more in terms of how the data should be processed, but there are some changes which businesses need to be aware of.
When applying the new GDPR framework, processing data must comply with the following requirements which I have put in a table below, together with their meaning:-
|processed lawfully, fairly and in a transparent manner in relation to individuals||This principle requires the data controller, that is, the person collecting the data, to ensure that they have a lawful basis for doing so. There are 6 lawful bases in relation to personal data and others if you are collecting sensitive data, or “special categories of data” as now redefined under the GDPR. The fairness and transparency elements refer to the information that a data subject must be given or have access to (e.g. by website), before you collect personal data about them.|
|collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes||This means that you have a legitimate reason for collecting the information you have about data subjects. The use of this data must be contemplated at the time it is collected. If the purpose changes or dual purposes materialise, then these may not necessarily be incompatible but much depends on whether this other purpose is fair to the data subject to collect their personal information for this reason. If a data subject would not reasonably expect their data to be used in this way then it is likely to be incompatible. Also consider whether the purpose, primary or secondary, could result in unjustified adverse effects to the individual.|
|adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed||The data should be no more than that which is necessary for the purpose(s) that you have already identified. An example would be an on-line purchase of goods. You reasonably need to obtain a name, address, delivery and payment details from a data subject to perform your obligations under a contract to sell goods to them. What you wouldn’t require in this scenario, is any purchasing preference information or location data that may be a bi-product of the transaction obtained on your website.|
|accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay||Similar to the requirement under the DPA, the data must be kept accurate. This means that data that may change regularly, such as credit reports or insurance claim information, should be subject to more regular checks and refresh exercises than some other data that remains relatively static. That said, all data should be subject to a data protection policy which details what measures are taken to meet this principle.|
|kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals||This principle is similar to the old storage limitation principle. Any refresh exercise carried out to satisfy the accuracy principle above can be done in conjunction with this principle so that certain categories of data are designated as ready for destruction once they have outlived their usefulness. Consideration should be given here to the value of the information you hold to your business and balance this against the cost, resource and risks involved in retaining it. Legal and regulatory requirements (these may be sector specific) may extend the period of any data which would otherwise be ready for destruction. Other factors are potential civil/criminal claims and you may consider it necessary to hold onto some categories of data for longer periods for their evidential value.|
|processed in a manner that ensures appropriate security of the personal data , including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage,using appropriate technical or organisational measures||Organisations must demonstrate that they have taken the necessary security measures to ensure that the data they hold is safe. This will include cyber security technical measures such as firewalls, virus checking, encryption of data but also training of staff and having a robust data protection policy in place. Consider who has access to different levels of personal (or sensitive) data and whether this access is necessary for their role. The measures implemented must be commensurate with the size of the organisation, the sensitivity and scope of data held and the resources available to it.|
I hope that this blog has been helpful but please don’t hesitate to contact me, Louise Weatherhead at Louise.firstname.lastname@example.org or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.
We will be releasing our blogs on a weekly basis in the run up to May to pick apart the new legislation in simple terms and help you to get GDPR-ready. Next week, our topic will be Data Transfers to different jurisdictions and looking at their application within a business or organisation. We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.