The ICO’s new (June 4th) GDPR guide explained
Posted on June 8th 2018
GDPR officially came into force on May 25th, but as the UK’s Information Commissioner suggests, “it is still an evolution, not a revolution.”
As such, information regarding the new regulation is still being released and improved. On June 4th, the ICO published a brand new guide to, “help businesses comply with [GDPR] requirements.” The comprehensive guide is 241 pages long and, “intended to cover the key points that organisations need to know.” Among many other things, the guide discusses the seven key principles which any company’s GDPR compliance should be based on. The ICO states that the principles, “should lie at the heart of your approach to processing personal data.”
In order to help you make sense of the new information, we have re-iterated the 7 principles below. To summarise, the principles are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Lawfulness, fairness and transparency
- You should only collect and use personal data in a lawful, valid way.
- You should not do anything with the data you collect that would breach any laws.
- The data should be used and handled fairly and in a way that the owner of the data would expect.
- You should not mislead people about how you will handle their data.
- If you need to use a person’s data in a way that is unexpected, then you must have a valid justification for this.
- Overall, you should be clear, open and honest from the start about how you will use a person’s data.
- You must be clear about what your purposes for processing personal data are from the start.
- These purposes need to be recorded as part of your documentation obligations and you should specify them in your privacy information for individuals.
- You may only use the data for a new purpose if it is compatible with your original purpose, you have consent from the owner, or there is a clear basis in the law. The ICO use the following example, as an example of a purpose that would be incompatible:
Example: “A GP discloses his patient list to his wife, who runs a travel agency, so that she can offer special holiday deals to patients needing recuperation.”
You must ensure that the personal data you are processing is: adequate, relevant and limited to what is necessary. This means that:
- You should only collect personal data that you actually need for your specified purposes.
- The data should be adequate and sufficient to fulfill these purposes
- You should periodically review the data you hold, limit the data to what is necessary, and delete anything you no longer require.
The ICO provides a good example of when a company may be obtaining too much data. They say:
Example: “A recruitment agency places workers in a variety of jobs. It sends applicants a general questionnaire, which includes specific questions about health conditions that are only relevant to particular manual occupations. It would be irrelevant and excessive to obtain such information from an individual who was applying for an office job.”
- You should take all reasonable steps to ensure that any personal data you hold is not incorrect or misleading.
- If you discover that any data is incorrect or misleading, you should take reasonable steps to correct the data or erase it as soon as possible.
- You should have appropriate processes to check data accuracy and to identity when it needs to be updated.
- You should not keep data for any longer than is needed, unless it is being kept for public interest archiving, scientific or historical research, or statistical purposes.
- Data should be periodically reviewed and erased when no longer needed with a careful consideration of standard retention policy.
- You should have a process in place to comply with an individuals’ request for erasure.
- Individuals have ‘the right to be forgotten.’ However, you may have to keep some data for legal or operational reasons for a further, set time.
Integrity and confidentiality (security)
- You must ensure that you have appropriate security measures in place to protect any personal data you hold.
- This includes taking into account things such as risk analysis, organisational policies and physical and technical measures.
- Any measures you take must ensure the confidentiality and availability of the systems and services within which you store data. There should be processes in place to test the effectiveness of these measures.
- There is a duty on all organisations to report a personal data breach to the relevant supervisory authority within 72 hours of becoming aware of the breach.
- If this breach will result in a high risk of affecting individuals’ rights and freedoms, you should inform those individuals quickly.
- You should ensure you have a response plan for breaches and that you allocate responsibility for managing these to a dedicated person or team.
- You should record any personal data breaches, regardless of whether you need to notify an authority.
What are the lawful bases for processing?
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
Article 23 enables Member States to introduce exemptions from the GDPR’s transparency obligations and individual rights in certain situations where it is a necessary and proportionate measure in a democratic society. The ICO has provided a list of these situations which can be found at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/exemptions/
How can we help?
If you are yet to make sure that your business is completely GDPR compliant, don’t panic, it’s not too late. We can help you ensure that your contracts with your suppliers, employees and customers comply with the new law and minimise the liability you could face following a data breach.
For free initial advice call us today on 01244 312306 or fill in our contact form here.
Article written by Laura Hill
Call and speak to a lawyer on 01244 312306