Everything you Need to Know about the GDPR

In May 2018, the General Data Protection Regulation (EU) 2016/679 (GDPR) came into effect, setting a new standard of privacy that must be upheld by organisations processing individuals’ (data subjects’) personal data.  The Regulation applies to any organisation processing the personal data of data subjects in the EEA. The Data Protection Act (DPA) 2018 implemented the GDPR into UK law, tailoring how it applies in the UK.  Following Brexit, the UK adopted its own version of the GDPR, known as the UK GDPR, which applies to the processing of personal information of data subjects in the UK.   

GDPR was introduced to standardise data protection laws across all the EU member countries and provide data subjects with more rights over the processing of their personal data, and greater protection of those rights.  

The 7 Principles 

The GDPR is underpinned by 7 principles, also referred to as ‘6 plus one’, which represent the purposes and aims of the GDPR. These principles are: 

• Lawfulness, fairness and transparency 
• Purpose limitation 
• Data minimisation 
• Accuracy 
• Storage limitation 
• Integrity and confidentiality (security) 
• Accountability. 

Other than the accountability principle, these are almost identical to the principles seen in previous data protection laws, such as the DPA 1998. If your organisation is a data controller or data processor, you are obliged to implement appropriate measures, both technical and organisational, to ensure the data protection principles are adhered to. Essentially, your information systems must have privacy built into them.  

The accountability principle means your organisation is responsible for GDPR compliance and for being able to evidence your compliance.  For example, you are obligated to report certain types of personal data breaches to the relevant supervisory authority which, if your organisation is UK based, is probably the Information Commissioner’s Office (ICO). This report should be made within 72 hours of you becoming aware of the breach, and failing to notify the supervisory authority can result in a financial penalty of up to €10 million or 2% of your global turnover. It’s important to note that data breaches do not just include data losses, but can also relate to administrative breaches such as failure to adhere to the principles and rights outlined in the GDPR. 

If your organisation is going to process personal data, this must be done under one of the 6 lawful bases, specified by the GDPR. 

What are the 6 lawful bases? 

• Consent 
• Contract 
• Public task 
• Vital interest
• Legitimate interest
• Legal requirement 

The 6 bases are all equally weighted, with none being considered more important than any other. The basis you use to legitimise your processing will depend on the reason for the processing and your relationship with the data subject. The processing must be ‘necessary’ for a specific purpose, and if you can ‘reasonably’ achieve the same thing without processing personal data, you won’t have a lawful basis. Your basis must be established before the processing begins and this needs to be documented, while your privacy notice must contain your lawful basis and purpose for processing. When gaining consent from data subjects, care must be taken that this consent is fully informed and capable of being withdrawn as it otherwise will not be valid.  

If the reason for your processing changes and personal data you already hold needs to be used for a new purpose, the original lawful basis can only be used if this new purpose is compatible with the original reason it was collected, unless the lawful basis you relied on was consent. If you’re processing special category or criminal offence data you will need to identify an additional condition for doing so. Meanwhile, processing criminal conviction data or alleged offenses is only permitted under certain circumstances.  

The GDPR also sets out the rights of data subjects, which your organisation must respect. 

What are the 8 rights of data subjects in the GDPR? 

• The right to be informed 
• The right of access 
• The right to rectification 
• The right to erasure 
• The right to restrict processing 
• The right to data portability 
• The right to object 
• Rights around automated decision making and profiling. 
  ‍ 

How do you Comply with the GDPR Principles? 

Lawfulness, fairness and transparency 

To comply with this principle, your organisation must ensure its data collection and processing practices are lawful, and nothing is being done with personal data which will breach any legislation. To meet the ‘fairness’ requirement, you must not process personal data in a way that is unnecessarily detrimental, unexpected or misleading to the data subjects. Transparency, meanwhile, requires openness and honesty with data subjects about what, how and why their data is being processed, and your privacy notice is usually the easiest and most effective way to communicate this.  

Purpose limitation 

The ‘purpose limitation’ principle dictates that personal data must only be collected for specific, explicit, and legitimate purposes, and these purposes must be recorded as part of your documentation obligations, specified in your privacy policy, and in any other relevant documents. Personal data can only be stored for as long as is necessary for the intended purpose. It is vital to remember that persona data can only be used for a new purpose if it is compatible with your original purpose, you obtain consent or have a clear obligation or function set out in law. We at URM recommend that you conduct a data protection impact assessment (DPIA) before using personal data for a new purpose, and this will help you fulfil your documentation and evidencing obligations. 

Data minimisation 

This works hand-in-hand with the purpose limitation principle, and requires that the personal data processing is adequate, relevant and the minimum necessary to meet your purpose. Collecting and processing less information is not without its benefits to your organisation. Holding less data will simplify the process of keeping it up to date and accurate, helping you comply to the ‘accuracy’ principle. Data minimisation also helps to limit any damage if a data breach occurs, and means you don’t have as much to disclose in response to a data subject access request (DSAR). 

Accuracy 

Ensuring that the personal data you process is accurate is another of your key obligations under the GDPR. To comply with this principle, the ICO states that your organisation should ‘take all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact’. If you discover that any personal data is misleading or incorrect, it is your responsibility to take all reasonable steps to correct or erase it as soon as possible. The GDPR provides data subjects with the ‘right to rectification’, meaning they can request that inaccurate or incomplete data be rectified (or erased), however inaccuracy claimed must be validated before any changes are made. In the event of an accuracy dispute, processing may need to be temporarily restricted while it is settled.   

Storage limitation 

The ‘storage limitation’ principle dictates that personal data must only be retained as long as it is required for the defined and agreed purposes for processing. If possible, your organisation should develop a policy outlining standard retention periods, allowing you to comply with documentation requirements.  Any personal data you hold should be reviewed at regular intervals and, when it is no longer needed, erased or anonymised. One of the rights protected by the GDPR is the ‘right to erasure’, so you should consider any potential challenges that individuals may make to your retention of data and be able to justify your retention periods. If you are processing data for scientific reasons or for reasons of public interest, the GDPR does allow you longer storage time.  

Integrity and confidentiality 

Alongside availability, integrity and confidentiality represent the key principles behind best practice information security and, under the GDPR, personal data must be “processed in a manner that ensures appropriate security of the personal data”. By including the word ‘appropriate’, the legislation acknowledges that information security measures and controls will vary across different organisations working in different sectors. According to the ICO, considering risks “in relation to the nature, scope, context and purpose of your processing” is important when establishing what security measures are appropriate.  

The GDPR specifically states that personal data should be processed in a way that protects it against ‘unauthorised or unlawful processing and against accidental loss, destruction or damage’ and, therefore, your organisation needs to ensure it has effective access control in place. To do this, we recommend starting by conducting a risk assessment to determine how risk treatment activities should be prioritised. Risk treatment may include technical controls such as the encryption and pseudonymisation of personal data, as well as physical and organisational controls. It may be useful for your organisation to consider ISO 27001 and ISO 27701 at this stage, as these provide ideal risk-based frameworks to help you establish what systems and measures you should implement to maintain data security.  

Accountability 

The accountability principle is the key differentiator between the GDPR and previous data protection legislation, such as the DPA 1998. This principle means your organisation is responsible for both ensuring your personal data processing is compliant with the GDPR and for being able to evidence this compliance. There are a range of controls, some of which are mandatory, that your organisation can implement to comply with this principle, including:  

• Adopting a data protection by ‘design and default’ approach  
• Conducting DPIAs before undertaking new personal data processing activities, particularly when the processing is likely to result in a high risk to individuals’ interests  
• Developing and implementing data protection policies and processes 
• Implementing appropriate security controls (as is also required by the integrity and confidentiality principle, discussed above) 
• Maintaining documentation of your processing activities  
• Making sure you have written contracts in place with organisations that process personal data on your behalf  
• Developing and delivering training and awareness programmes for your staff  
• Adhering to relevant codes of conduct and complying and/or certifying with management system standards, such as BS 10012 and ISO 27701  
• Appointing a data protection officer (mandatory for public authorities or bodies and for organisations carrying out processing which is large scale, high-risk, or conducting privacy intrusive data subject monitoring) 
• Recording and reporting personal data breaches. 

Full accountability and the proper maintenance of systems and documentation is not without its benefits to your organisation, providing mitigation if you are ever subject to a data breach investigation. However, compliance with the accountability principle is an ongoing obligation, and to fully comply you will need to regularly review and, when required, update measures across all stages of processing. This, like many aspects of GDPR compliance, can be a difficult process to navigate without assistance, and many organisations have benefitted from using consultancy to make sure they are fully complying with the legislation. Help with GDPR compliance is available urmconsulting.com.