“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
In terms of this policy, Controller is synonymous with the firm and its obligations.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
“Binding corporate rules” means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
“ICO” means the Information Commissioner’s Office, the regulator of data protection for the United Kingdom
This data policy and procedure demonstrate the firm’s commitment to responsibility and accountability of data protection, the document establishes the firm’s understanding of data protection and data security. Relevant decisions made by senior management and relevant individuals at the firm are required to review the policy prior to making any decision which uses personal data of a data subject. Employees are required to read and understand the policy in order to process personal data.
| The Seven key Principles of the GDPR:
The GDPR outlines the seven key principles for the processing of personal data.
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them is collected and processed. The principle of transparency requires that any information and communication relating to the processing of personal data be easily accessible and easy to understand, and that clear and plain language be used. The principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed.
Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of personal data.
The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.
In order for a data controller to process data, the controller requires a lawful basis to do so. If the controller has no lawful basis to process the personal data of the subject then the processing will be unlawful, in which the controller may face enforcement action from the ICO or other European regulatory bodies if the enforcement action requires cross-border co-operation.
There are 6 lawful bases for processing which may be applicable to data controllers. The GDPR’s requirement that processing is transparent requires that in the privacy notice the controller must outline which lawful basis will be used by the firm and at which point in the data processing cycle, for example, a firm may rely on consent to process the data originally, however, to store the data they rely on compliance with a legal obligation etc. One lawful basis will not always be applicable for the whole processing the controller undergoes on the personal data.
The following are the legal bases for processing data:
For the purposes of this data protection policy, the two categories of legal bases which are not self-explanatory are point (1) consent and (6) legitimate interests. These will both be outlined separately below.
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to them, such as by written statement, including by electronic means, or an oral statement. Recital 32 of the GDPR indicates that consent can be obtained by ticking a box when visiting an internet site (opt-in box). However pre-ticked boxes are seen as a breach of the consent rules as this is not an unambiguous indication of a data subjects’ consent. Additionally, consent cannot be bundled with other terms, e.g. terms and conditions to service. Consent to data processing must be obtained separately from any other requirement the controller places on the subject.
Where the processing is based on consent the data controller has a burden to prove that consent had been freely given by the data subject. For consent to be informed, the data subject should be aware of at least the identity of the controller and the purposes of the processing for which the personal data is intended.
Of importance, consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment, in addition, Recital 43 outlines that if there is a clear imbalance of power between the controller and subject consent is difficult to be obtained freely. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case.
Consent as a legal basis for processing is the most commonly used, however, it may not be the most appropriate in all circumstances. Situations where consent is not appropriate include where the customer has no real choice in consenting to how their data will be processed.
Legitimate interest is the most flexible lawful basis for processing. Utilising legitimate interests means the data controller is taking on extra responsibility for considering and protecting individual rights and freedoms, as there is a possibility that legitimate interests of the controller may detriment individuals fundamental rights. There is a three-element test (“Legitimate Interest Assessment”, “LIA”) to realise whether legitimate interest is an appropriate lawful basis for processing:
A wide range of interests may be legitimate interests, these can be commercial interests as well as other wider societal benefits, they may be compelling or trivial.
The Legitimate Interest Assessment must be recorded and retained for as long as necessary to demonstrate to regulators that a legitimate interest has been utilised as a lawful basis for processing. There is no standard format for an LIA, however, it is important to show that the controller has proper decision-making processes in place to justify the outcome of the LIA.
The GDPR further requires the data controller to notify the subject of any legitimate interests which may be used to process personal data. This is to be used in conjunction with the right to be informed.
What is necessary
Each lawful basis for processing requires the processing to be necessary, except consent. Processing is necessary only if the effect which the processing would produce cannot be done without processing personal data. For example, it is not necessary for processing personal data for the sale of a chocolate bar but would be necessary to process personal data to provide somebody with a car quote.
When processing personal data, controllers have an obligation to provide data subjects the following fundamental rights:
The Principle of lawfulness, fairness and transparent processing requires that the data subject be informed of the existence of the processing operation and the purpose of the processing. The right to be informed encompasses the controller’s obligation to provide the fair processing of information. The mode of communication for the right to be informed is typically through a privacy notice.
The right to be informed can be met by placing a privacy notice on the controller’s website. Data subjects should be made aware of the notice and give them an easy way to access it:
What Information Must be Supplied?
Article 13 of the General Data Protection Regulation sets out the information that the controller should supply to the data subject upon collection of their data, in any case, this information should be provided in the privacy notice.
We are mandated to supply the following:
The privacy notice is required to be regularly reviewed to ensure that it remains compliant with the GDPR. Regular data audits should be carried out by the controller to make certain the privacy notice and policy is up to date and fit for purpose.
Non-Privacy notice approach
The right to be informed places an obligation on the data controller to provide the relevant information to data subjects when that data is collected, regardless of the medium of collection. As stated above, the likeliest method of providing information to data subject is a privacy notice on the controller’s website. This is not the only method, and in many cases this may not be the most appropriate method of informing the data subject of the relevant information.
Privacy notices have limited applicability in situations where data has been purchased from a third-party, e.g. a data farmer. The right to be informed extends beyond the need for a privacy notice. The right to be informed is not conditional and applies to all methods of data collection. As such, techniques to satisfy the right to be informed extend beyond a privacy notice and include:
A privacy notice should be accompanied by the layered approach. The above applies to each method of data collection, including bought data, websites, face-to-face, data mining, etc.
The right to be informed is obligatory for those who control data. Failure to accurately uphold the right to be informed will constitute a breach of the General Data Protection Regulation.
Under the General Data Protection Regulation, individuals have the right to obtain, from the controller, confirmation as to whether or not personal data concerning the subject is being processed, and, where that is the case, access to the personal data and the following information:
The data subject access request will be free of charge unless the request is deemed excessive. The deadline to respond to a data subject access request is one month from the date of submission. There is no prescribed method of making a data subject access request, a data subject can submit a request in any medium they wish.
Under the General Data Protection Regulation, data subjects have the right to rectify any personal data which may be inaccurate or complete any data records which may be incomplete. The right to rectification is closely linked with the Accuracy principle of the GDPR, if the controller receives a request of rectification from a data subject, they are required to take reasonable steps to either, make certain the data is accurate or rectify as necessary.
Where the controller would be required to rectify the personal data, but the data must be maintained for the purposes of evidence, they must restrict the personal data’s processing, and not rectify the record.
The right to data portability allows data subjects to obtain and reuse their personal data, the right to data portability is not restricted by the services the firm provides. The data subject can request data portability for their own purposes, including but not limited to, moving, copying, transferring personal data in a safe and secure way, without affecting the data’s usability.
The right only applies to information a data subject has provided to the controller, e.g. if a controller receives personal data from a third party on the data subject the right of data portability does not extend to this data. Additionally, the right to data portability only applies when the controller’s lawful basis for processing is:
Any request for data portability shall be done so without hindrance, which means the controller cannot place any legal, technical or financial obstacles in place which slow down or prevent the transmission of the personal data to the individual, or to another organisation.
The right to data portability is closely linked with the right to access data. The processes the controller undergoes will be similar to that of subject access.
Under the General Data Protection Regulation, data subjects have a right to restrict the processing of their personal data. Data subjects shall have the right to obtain a restriction of processing where one of the following applies:
The right to restrict processing is not always obligatory, and only applies in the above circumstances. Methods to restrict processing after a request include:
The fact that the processing of personal data is restricted should be clearly indicated to all individuals at the controller by being indicated on the system. The controller is only permitted to store data when a restriction is placed, unless:
The GDPR introduced a right for data subjects to have their personal data erased. The right is not absolute, this means that customers can only request the right of erasure in certain circumstances. The circumstances in which the right of erasure can be brought are the following:
The controller is not required to comply with a request for erasure if the request does not meet the requirements above, additionally, the controller is not required to comply with the request if any of the below exemptions apply:
Where the controller is required to erase the data subjects personal data they are obligated to erase the data from both live and backup systems. The controller must immediately remove personal data from the live systems. If the controller cannot immediately erase data from our backup system, they are required to be absolutely clear to data subjects on the timescales for erasure on our backup system, the controller must then begin to ensure the personal data is ‘beyond use’ which cannot be accessed by any member of staff. Personal data will remain beyond use until it can be erased on the backup system.
Supplementary information for the above rights
The Data Protection Act 2018 provides supplementary information for the above data subject rights. Where a data subject requests to exercise any right, the controller is required to inform the data subject, in writing – whether the request has been granted or refused. If the request has been refused then the controller is obligated to notify the subject in writing the reasons for the refusal, the data subjects right to make a request to the Commissioner under section 51, the data subjects right to lodge a complaint with the Commissioner, and the data subject’s right to apply to a court under section 167. The controller must send the written letter stating the outcome of the request, and subsequent information, without undue delay.
The controller may restrict what information we provide to the customer in our written response of refusal if any of the following apply:
Where the controller has decided to restrict the provision of information to the data subject, as above, they are required to record the reasoning for restriction, and if requested provide this information to the Commissioner.
Where the controller accepts a request for erasure, restriction or rectification which has been disclosed by the controller to a recipient, they are required to notify each recipient of the data who are then obligated to erase, restrict or rectify the personal data of the data subject.
The General Data Protection Regulation provides data subjects the right to object to the processing of their personal data at any time. Data subjects can object to the processing of their personal data in certain circumstances if the below circumstance applies then the right of objection is absolute:
Data subjects exercising the right to object in relation to direct marketing is absolute and cannot be contested. If a request of objection is made for direct marketing purposes, then personal data shall no longer be processed for the use of direct marketing. Controllers can still process the data; however, the processing can no longer be for the purposes of direct marketing.
Data subjects have the right to object to processing in other circumstances, however, in the circumstances mentioned below the right is not absolute:
Data subjects can exercise the right to object to processing in the above circumstances, however, this has to be on grounds relating to their particular situation, and this is not absolute and can be contested by the controller in the situations where they can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or whether the processing is for the establishment, exercise or defence of legal claims.
The controller is obliged to inform the individual of their right to object to the processing at the point of first communication, and in the privacy notice.
Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject, or similarly significantly affects. This means that the data controller cannot subject the data subject to an automated decision, e.g. an automated decision to grant a loan. However, the previous provision does not apply in the following three circumstances:
In addition to the above, the ICO has outlined additional requirements in relation to automated individual decision making:
Automated decisions which do not produce legal effects or similarly significantly affects do not fall within the provisions of GDPR Article 22, however, the decision making will be subject to the data protection principles and relevant provisions in the GDPR.
The exercise of each of the above data subject rights is given further information by way of Article 12 GDPR. The Article outlines the requirements on the data controller when responding to the exercise of a data subject right. These include:
Article 12 of the GDPR further provides data controllers with the right to refuse an exercise of data subject rights if any of the following are satisfied:
Article 5 of the GDPR prescribes that it is the controller’s responsibility for, and able to demonstrate compliance with, the principles. This is known as the accountability requirement of the GDPR. The controller is required to be responsible for their own compliance with the GDPR, including the compliance of any of its employees or individuals who have access to the data the controller holds, additionally they must be able to demonstrate that they are compliant, e.g. making records of lawful basis for processing, recording any exercise of data subject rights and the outcomes of these etc.
The GDPR provides that data records shall only be maintained for as long as ‘necessary’, if the processing is no longer necessary e.g. the controller no longer has a lawful basis to process (store) the data, then the controller should erase the data. Without prejudice to any regulatory requirements, which is a legal obligation lawful basis, data requirements will be retained for only as long as strictly necessary for the controller’s data processing activity.
As part of the controller’s documentation they retain personal information which pertains to the following, please note this is not exhaustive:
The GDPR provides that anonymisation of personal data ensures that the data subject is no longer identifiable, and therefore the data is no longer personal data, in which the GDPR no longer applies. The controller is not required to anonymise data, however, without prejudice to data storage the controller may wish to anonymise data and retain the data for the controller’s own purposes. Data subjects will have no rights in relation to data which has been anonymised as they are no longer identifiable. The controller may choose to anonymise data which it may otherwise destroy. Personal data will not be regarded as anonymised if at any time an individual could access the data and identify any person in the data set.
Pseudonymisation on the other hand does not ensure that data subjects are no longer identifiable, the process of pseudonymisation is a security measure the data controller may wish to use in order to protect data subject’s personal data, or to demonstrate the controller’s compliance with the Principles outlined in the GDPR. Data subjects will be able to exercise their data subject rights in relation to data which has undergone the pseudonymisation process.
In line with the controller’s accountability obligations in relation to the Principles, only data which is required for the processing is processed. The controller only collects and processes personal data which is required. For example, when collecting data on Jane Smith for an application, the controller only collects data on Jane Smith who is undergoing the application and not every Jane Smith in the United Kingdom.
Under the GDPR Principles, the data controller is required to store the data with appropriate security, including protection against unauthorised or unlawful processing, against accidental loss and destruction or damage. The security principle covers cybersecurity (e.g. ensuring the network which hosts the data is secure and resilient against cyber-attacks), physical security and organisation security.
To ensure data is stored securely in the cyberspace by either the controller or a processor whom the controller has a contract with (e.g. cloud hosting services) the controller has to take into account the following:
Where the controller hosts the personal data on their own software then the above requirements will be reviewed on the controller’s software.
The controller is further required to ensure that the physical security of assets which host the data is secured, this includes company laptops and tangible files etc. The controller is obliged to protect devices in such a way which ensures the security of physical assets, this may include but not limited to:
There is no one size fits all approach in the GDPR to security, as such, the controller is required to implement a risk-based approach. Wherever the risk of a data breach is high then the controller needs to implement more safeguards to protect the data subjects data.
The GDPR implements a process where the controller’s data breaches are required to be reported to relevant regulatory authority, in the case of the United Kingdom, the ICO.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are a result of both accidental and maleficent causes. Once a breach has occurred, however small, the controller must establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk to the rights and freedoms of the data subject then the controller must notify the ICO, if it is unlikely that the rights and freedoms of the data subject will be affected then this breach does not need to be reported to the ICO.
It is for the controller to determine whether the breach needs to be reported to the ICO. Reporting to the ICO of a data breach has a lower threshold of reporting to the data subject who has suffered the harm. The threshold in which the data controller is required to notify the data subject of the breach is when there is a highrisk to the subjects rights and freedoms.
In any case when determining whether a data breach is required to be notified to the ICO or the data subject the controller is required to document the decision-making process in order to fulfil the accountability principle of the GDPR.
Failure to disclose a breach which is required can amount to a breach of the GDPR and enforcement action can be taken by the ICO, including a significant fine up to €10million or 2percent of the controller’s global turnover.
The GDPR implemented the notion of restricted data transfers to countries outside of the European Economic Area or international organisations who may host the data outside of the EEA. The restriction on international data transfer applies to all data transfers, no matter the size. The transfer restriction applies on a legal entity level, as such transferrals to an international parent undertaking is a restricted transfer.
In order to transfer data without breaching the restriction rules, the controller is required to ensure that the nation which as not included within the EEA has an “adequacy decision” from the EU Commission. The decision is a finding by the Commission that the legal framework in place in the country provides adequate protection for individuals’ rights and freedoms for their personal data. A list of adequacy decisions which the Commission has found can be viewed on the Commissions data protection website. If an adequacy decision is in place, then the transfer of data is no longer a restricted transfer and can thus be affected.
If the country in question does not have an adequacy decision made by the Commission, the controller should establish whether the transfer can be subject to “appropriate safeguards”, which are listed in the GDPR. These safeguards ensure that both the controller and the receiver of the transfer are legally required to protect the individual’s rights and freedoms. The safeguards are the following:
If an adequacy decision has not been found by the Commission and there are no appropriate safeguards in place the controller should not make any restricted transfer unless the transfer falls into an exemption of:
These exemptions can only be utilised for occasionally restricted transfers.
If none of the above is available to the controller then no restricted transfer can be made.
The above restricted transfer rules do not apply to transfers within the EEA, if a data transfer occurs from one organisation to another in which both are located in the EEA then the GDPR applies in full, transferring is regarded as processing as such a legal basis for processing is required to transfer data to an EEA organisation.