The EU General Data Protection Regulation (or GDPR) was established to protect the rights and freedoms of Data Subjects, with respect to their Personal Identifiable Information and defined who and how their data could be used and retained by organisations around the world. To help you manage your GDPR practices, we’ve written a quick guide.
As the UK has now left the EU, the EU GDPR does not cover the UK and the protection of UK citizens. However, to ensure that personal information is still protected, the government introduced UK GDPR which also sits alongside the Data Protection Laws 2018. The key principles, rights and obligations of the law remain the same – But there are implications for the rules on transfers of personal data between the UK and the EEA. The UK GDPR also applies to controllers and processors based outside the UK if their processing activities relate to:
- offering goods or services to individuals in the UK
- monitoring the behaviour of individuals taking place in the UK.
There are also implications for UK controllers who have an establishment in the EEA, have customers in the EEA, or monitor individuals in the EEA. The EU GDPR still applies to this processing, but the way you interact with European data protection authorities has changed.
For full details please visit the Government website.
Special Categories of Data
The laws cover personal data which is data such as name, address and birth date. However, it also covers special categories of data. This is data that can cause harm if it is lost or stolen. This includes:
- Genetic / biometric data
- Racial / ethnic origin
- Political opinions
- Religious beliefs
- Trade unions
- Physical and mental health
With this type of data, you must explain what and why you are asking to collect and store it.
6 Lawful Bases for Processing
There are 6 reasons why it can be lawful to process a data subjects’ personal information. These are:
- Consent – the data subject must opt into their personal information being processed.
- Contract – the performance of a contract or to take steps under the request of the data subject before entering a contract.
- Legal obligations – the data subject must confirm their identity before their information is processed.
- Vital interest – this is where data is processed to protect the subject’s vital interest for example looking at their medical records to save their life.
- Public task – data is processed at the interest of the public for example using data to ensure that everyone eligible receives a voting slip.
- Legitimate interests – data is processed in a way that is expected by the data subject and it can not be used for anything else.
7 Principles of Data
There are 7 principles of data that you must follow when collecting, processing and storing data. These are:
- Ensure you are being fair, lawful and transparent.
- Only use the data for what was agreed.
- Use the minimum amount of data needed to complete your purpose.
- Ensure that details are recorded accurately and are up to date.
- Only keep records for as long as necessary.
- Ensure confidentiality and security.
- Remember accountability – you are responsible for the data.
This is a breach of security which leads to accidental, deliberate or unlawful destruction, loss, change, unauthorised disclosure or access to data.
How to Avoid Data Breaches
To avoid data breaches, you must ensure that you are complying with the laws, the bases for processing and the principles of data.
There are also some steps as a company that you can do to prevent data breaches. These include but are not limited to:
- Ensure electronic files are backed up
- Use a shredder when destroying data
- Ensure former employees do not have any access to files or personal data
- Ensure that any data is protected under lock and key to avoid any unauthorised personnel gaining access
- Always confirm identity
- Password protect
- Avoid auto fill
- Ensure no one can hear or see anything they shouldn’t
How to Report a Data Breach
A breach should always be reported to the data protection lead.
You should take immediate action, contact all that has been affected by the breach, recover details if possible and keep the data subjects informed of any updates. Finally, you should investigate what happened, why this happened, who was at fault, could it have been avoided and any policies or processes that need to be implemented to avoid the situation happening again.
Here at Wurkplace, we offer an online GDPR course that goes into detail about everything you need to know about GDPR, data subjects and breaches which can be found here. If you’d like further guidance on your GDPR practices, or if you wish to know what to do in the event of a data breach, get in touch. We regularly advice our HR clients with data protection. Contact us via our online form, or by calling us on: 0330 400 5490.
Currently practising all the aspects of Human Resources including employee rights, discrimination, how to manage grievances and disciplinaries.