GDPR Notes (ico.org.uk)

The General Data Protection Regulation - shortened to GDPR - came into force in May 2018 and is responsible for protecting personal data. It aims to give control back to citizens, changing 'opt-out' to 'opt-in', and allowing citizens to see exactly how their data is used.  The regulations consist of seven principles: Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality (security) Accountability ------------------------------------------------------------------------------------------------------------------------------------------- Lawfulness, fairness and transparency: You must identify valid grounds for collecting and using personal data. You must ensure that you do not do anything with the data in breach of any other laws. You must use personal data in a way that is fair - do not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned. You must be clear, open and honest with people from the start about how you will use their personal data. Purpose limitation: You must be clear about what your purposes for processing are from the start. You need to record your purposes as part of your documentation obligations and specify them in your privacy information for individuals. You can only use the personal data for a new purpose if either this is compatible with your original purpose, you get consent, or you have a clear obligation or function set out in law. Data minimisation: You must ensure the personal data you are processing is: adequate – sufficient to properly fulfil your stated purpose; relevant – has a rational link to that purpose; and limited to what is necessary – you do not hold more than you need for that purpose. Accuracy: You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact. You may need to keep the personal data updated, although this will depend on what you are using it for. If you discover that personal data is incorrect or misleading, you must take reasonable steps to correct or erase it as soon as possible. You must carefully consider any challenges to the accuracy of personal data. Storage Limitation: You must not keep personal data for longer than you need it. You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data. You need a policy setting standard retention periods wherever possible, to comply with documentation requirements. You should also periodically review the data you hold, and erase or anonymise it when you no longer need it. You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data. You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes. Integrity and confidentiality (security): You must ensure that you have appropriate security measures in place to protect the personal data you hold. Doing this requires you to consider things like risk analysis, organisational policies, and physical and technical measures. You also have to take into account additional requirements about the security of your processing – and these also apply to data processors. You can consider the state of the art and costs of implementation when deciding what measures to take – but they must be appropriate both to your circumstances and the risk your processing poses. Where appropriate, you should look to use measures such as pseudonymisation and encryption. Your measures must ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them. The measures must also enable you to restore access and availability to personal data in a timely manner in the event of a physical or technical incident. You also need to ensure that you have appropriate processes in place to test the effectiveness of your measures, and undertake any required improvements. Accountability: You must have appropriate measures and records in place to be able to demonstrate your compliance. Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place.