This is a brief overview of your responsibilities as to how personal data should be treated. For more advice, see the ‘Further Reading’ section.
- Data shall be processed lawfully, fairly, and in a transparent manner. Your organisation must only use data within the legislative framework, use it for the right reasons, and make sure that the data subject knows what you are going to do with it.
- Data shall be used for a specified, explicit and legitimate purpose. It is not OK to use the same data for other things that have not been made clear to the data subject, or for anything incompatible with these values.
- Data shall be adequate for its purpose, it must be relevant, and limited to what is necessary for its purpose. It is not acceptable to collect information you don’t need.
- Data shall be accurate and kept up to date. You are required to take reasonable steps to erase out of date information, or update it if still relevant for its stated purpose.
- Data shall be kept in a form by which individuals can be identified for no longer than necessary (some archiving in the public interest is allowed: see further reading).
- Data shall be processed in a way that ensures appropriate security of personal data, including protection against unauthorised access or accidental loss.
Much of this will be familiar from the DPA. Generally speaking, if your organisation relies on the consent of an individual to process their data, then they have stronger rights – for example, to ask you to delete the data you hold about them. Consent requires a positive op-in (not pre-ticked boxes or something hidden in the terms and conditions), and you must provide an easy way for them to withdraw their consent. You do not need to refresh all existing consents ahead of the GDPR, but it makes sense to ensure you are meeting the standards from this point forward.
The GDPR brings a new accountability requirement: this is a big one. Practically speaking, you need to show HOW you comply with the principles. For example, you might document how you took the decisions you did about how to process the data you hold, ensure you record staff training, appoint a Data Protection Officer (DPO), ensure all breaches are notified and recorded within 72 hours, and hold internal audits. You also need to have proportionate governance measures in place to ensure privacy ‘by design and by default’. Essentially, you need to show that information security is not an afterthought in your processes.