GDPR And The 6 Data Protection Principles.
GDPR compliance requires organisations to be able to prove [this is known as ‘accountability’] that they comply with the six data protection principles:
Simply put these are that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to an individual;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes [known as ‘purpose limitation’];
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed [known as ‘data minimisation’];
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the personal data are processed; [known as ‘storage limitation’];
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures [known as ‘integrity and confidentiality’].
The Implications For Your Business…
Organisations may also be required to:
- provide privacy information to individuals
- respond to requests by individuals to exercise their rights
- to incorporate data protection at the design stage
- to ensure that data protection is carried out by ‘default’
- define their relationship with any ‘joint controllers’
- appoint an EU or UK representative
- to carry out due diligence on and have proper agreements with data processors
- to create and maintain a Record of Processing Activities
- to keep personal data secure
- to respond appropriately to personal data breaches
- to undertake Data Protection Impact Assessments
- to appoint a Data Protection Officer
- to lawfully transfer personal data out of the UK
Organisations also need to comply with the Data Protection Act 2018 [this, amongst other matters, sets out how to lawfully process certain types of ‘special category’ personal data as well as what ‘exemptions’ might apply when dealing with a request by an individual to exercise their data protection rights.
Regard should also be had to the Privacy and Electronic Communication Regulations of 2003 which set out the rules for Cookies and other tracking technologies and the rules around electronic marketing to individuals.
We can assist with all of the above.
For further information please contact us.