If your question is not listed here, please use the contact page to get in touch.
What are my responsibilities in terms of GDPR?
If your organisation handles personal data, the Information Commissioner’s Office (ICO) states:
“You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
“Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.”
What is Personal Data?
“Any information relating to an individual, whether it relates to his or her private, professional or public life.
“It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address.”
You might also hear the term ‘sensitive personal data’. This is a reference to special categories of personal data.
What is sensitive personal data?
Special categories of personal data which “uniquely identify a person” are classed in the GDPR as sensitive data. For example, genetic and bio-metric information.
For full details of special categories of personal data, see Article 9 of the GDPR, a link to which is below.
If you’re familiar with the rules of the Data Protection Act 1998, the good news is that the new regulation is broadly similar to them, although there are wider grounds in relation to healthcare and health research.
Personal data relating to criminal convictions is not classed as sensitive data, but the GDPR does introduce extra safeguards in relation to processing it. These can be found in Article 10 of the regulation.
The ICO has published some helpful guidance on special categories of personal data, which you’ll find half way down the page on this link: ICO Lawful Processing – Conditions for special categories of data.
What must I consider when handling personal data?
Article 5 of the GDPR states that personal data shall be:
- Processed lawfully, fairly and transparently
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and confined to what is necessary
- Accurate and kept up to date
- Held for no longer than necessary
- Processed in a manner that ensures appropriate security, i.e. guards against:
- Unauthorised or unlawful processing
- Accidental loss, destruction or damage
Organisations are required to demonstrate compliance with the above principles.
What is a legal basis for processing data?
To process personal data under the GDPR you must have a legal basis to do so, and document it. Under the Data Protection Act, this is known as ‘conditions for processing’.
The ICO has published some good guidance which you can reach here: Lawful processing of personal data under the GDPR.
What rights do individuals have in terms of GDPR?
GDPR strengthens the rights that currently exist under the Data Protection Act as well as giving new rights.
The right to be informed
Organisations need to be clear on how they use personal data, typically through a privacy notice.
The right of access
Under the GDPR, individuals are entitled to know what information is held about them and how it’s processed.
The right to rectification
Individuals are entitled to have their personal data corrected if it’s inaccurate or incomplete.
The right to erasure – also known as the right to be forgotten
Individuals have the right to request the removal of personal data where there is no compelling reason for its continued processing.
The right to restrict processing
Individuals’ rights to block or suppress processing of their personal data.
The right to data portability
This allows individuals to transfer or copy their personal data from one IT environment to another, safely and securely.
The right to object
Individuals have the right to object to the use of their personal information in certain circumstances. You must offer a way for individuals to object online if you process personal data for the purposes of:
- The performance of a legal task or your organisation’s legitimate interests
- Direct marketing
Rights in relation to automated decision making and profiling
In specific circumstances, individuals have the right not be the subject of a decision which:
- Has a legal bearing on them and;
- Which is based on automated processing
What is the Accountability Principal?
Accountability is one of the data protection principles – it makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance.
You need to put in place appropriate technical and organisational measures to meet the requirements of accountability.
There are a number of measures that you can, and in some cases must, take including:
- adopting and implementing data protection policies;
- taking a ‘data protection by design and default’ approach;
- putting written contracts in place with organisations that process personal data on your behalf;
- maintaining documentation of your processing activities;
- implementing appropriate security measures;
- recording and, where necessary, reporting personal data breaches;
- carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests;
- appointing a data protection officer; and
- Adhering to relevant codes of conduct and signing up to certification schemes.
Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place.
If you implement a privacy management framework this can help you embed your accountability measures and create a culture of privacy across your organisation.
Being accountable can help you to build trust with individuals and may help you mitigate enforcement action.
What security measures should we put in place?
The GDPR repeats the requirement to implement technical and organisational measures to comply with the GDPR in the context of security. It says that these measures should ensure a level of security appropriate to the risk.
You need to implement security measures if you are handling any type of personal data, but what you put in place depends on your particular circumstances. You need to ensure the confidentiality, integrity and availability of the systems and services you use to process personal data.
Amongst other things, this may include information security policies, access controls, security monitoring, and recovery plans.
What is a Subject Access request?
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.
Individuals have the right to obtain the following from you:
- confirmation that you are processing their personal data;
- a copy of their personal data; and
- other supplementary information – this largely corresponds to the information that you should provide in a privacy notice
In addition to a copy of their personal data, you also have to provide individuals with the following information:
- the purposes of your processing;
- the categories of personal data concerned;
- the recipients or categories of recipient you disclose the personal data to;
- your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
- the existence of their right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint with the ICO or another supervisory authority;
- information about the source of the data, where it was not obtained directly from the individual;
- the existence of automated decision-making (including profiling); and
- The safeguards you provide if you transfer personal data to a third country or international organisation.
Recital 59 of the GDPR recommends that organisations ‘provide means for requests to be made electronically, especially where personal data are processed by electronic means’. You should therefore consider designing a subject access form that individuals can complete and submit to you electronically.
In most cases you cannot charge a fee to comply with a subject access request.
However, where the request is manifestly unfounded or excessive you may charge a “reasonable fee” for the administrative costs of complying with the request.
You can also charge a reasonable fee if an individual requests further copies of their data following a request. You must base the fee on the administrative costs of providing further copies.
What Happens when I lose Data or have a Breech?
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
A personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
You should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
You must also keep a record of any personal data breaches, regardless of whether you are required to notify.