The GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018).
The DPIA 2018 applies to all organisations that process personal data. Therefore first we need to consider what is ‘Personal Data’?
Personal data is basically an data/information which links directly or indirectly to a living person!
This includes names, email address, IP addresses etc.
So if your organisation is processing personald data then it must make sure that it complies with the 5 key principles and it is in a position to respond to all the data subject rights!
So what are the Key Principles?
You comply with the following principles:
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- storage limitation
- integrity & confidentiality
What is the lawful basis for processing personal data?
The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
Consent: the individual has given you clear consent to process their personal data for a specific purpose.
Contract: the processing is necessary for to fulfil a contractual obligation with the individual.
Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function.
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
Will GDPR be affected by Brexit?
The GDPR will make significant changes to European data protection law.
It will strengthen existing regulations and extend obligations from controllers to data processors.
Even after Brexit, UK businesses which market their products and services to citizens of EU countries will need to comply with the GDPR. Even if they are only dealing with EU businesses, as long as they process any personal data of individuals who belong to EU member states, they will still need to meet the GDPR requirements.
What should you or your organisation do?
- Ask yourself why your organisation processes the personal data?
- Is there a lawful reason for collecing the personal data? If not delete it!
- How long do you keep it? Can it be legally justified?
- Wherever it exists in your organisation do you have appropriate safeguards in place? Is the personal data encrypted? What about pseudonymisation?
- Do you have systems in place which enable your organisation to respond to data subject rights within the respective time-limits?
- Can you detect, investigate and report a personal data breach?
- Do you need a Data Protection Officer?
- Does your organisation transfer any of the personal data to third parties?
- Where are the third parties processors?
- Are the third party processors within Europe? Are they GDPR compliant? Do you have a controller-processor contract in place?
- Is the third party processor outside Europe?
- Is the third party processor in a country which is considered adequate by the European Commission?
- If the third party processor is based in a state in the USA does it have the privacy shield?
- Are there any exemptions when transferring personal data to third countries?
- Are your employees aware of GDPR? Have they received the relevant GDPR Training?
Note that many Personal Data Breaches occur due to Human Error – cover your liability!
The payroll data had been supplied by Morrisons to its external auditor, KPMG.
A senior IT Auditor, Andrew Skelton, copied the personal data onto a personal USB device. A year before he had a grudge against the supermarket and wanted to create significant harm to the company.
He did so by posting the payroll data online on a public file-sharing website. Once the press made Morrisons aware of the breach, the supermarket acted swiftly to get the website hosting the data taken down.
As a result of Andrew’s actions in 2015 he was jailed for eight years for fraud, unauthorised access of a computer and disclosing personal data.
In Various Claimants v WM Morrisons Supermarket – the court found Morrisons vicariously liable for Andrew’s actions and will likely be ordered to pay damages to affected employees.
In certain circumstances – the Employer may also vicariously liable which means that they are liable for their employees actions!
Can we help you further?
You need to demonstrate compliance and this toolkit can help you! The GDPR Toolkit is aimed at helping organisations tick the boxes to becoming GDPR compliant.
How can Employees become GDPR Aware?
By enrolling on LCATE’s online Employee GDPR Awareness Certificate Course.