GDPR can be a complicated topic, and we want to help more businesses understand the steps they need to take to be GDPR compliant. When the GDPR 2018 was announced, the ICO released 7 principles of GDPR that need to be adhered to.
- Lawfulness, fairness and transparency – when you collect identifiable data from customers, clients or employees, make sure you have a legal reason for doing it.
- Purpose limitation – where required, you need to have consent.
- Data minimisation – you collect the minimum data required.
- Accuracy – make sure the data you hold is accurate.
- Storage limitation – you should keep data for as long as you need it, and no longer.
- Integrity and confidentiality (security) – you need to ensure the data you hold is secure.
- The accountability principle – you need to take responsibility for what you do with this personal data.
It all looks simple when you break it down like this. However, like everything else in real life, there are more details to follow after these 7 principles of GDPR. Data protection audits need to be started, actions need to be completed, data protection policies need to be put into place, regulations to comply with, and GDPR training needs to be undertaken.
Is my business GDPR compliant?
Once we start asking questions to our clients, and delving a little deeper, it soon becomes apparent that they are not recording everything they do. And as for that training? This is often a lot more extensive than they ever thought was required. Full GDPR compliance is all about the detail, and the paper trail of data.
Any data that you store, whether that is captured by electronic means, or tucked away in a filing cabinet, must be considered fully under GDPR.
Closer look at the principles
So, we have already briefly explained what the 7 principles of GDPR are, but let’s have a more detailed look into how these can be implemented in your business.
- You must identify valid grounds under the GDPR (‘lawful basis’) for collecting and using personal data.
- You must ensure that you do not do anything with the data, which is in breach of any other laws.
- You must use personal data in a way that is fair. This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.
- You must be clear, open and honest with people from the start about how you will use their personal data.
- You must be clear about what your purposes for processing data are from the start.
- You need to record your purposes as part of your documentation obligations and specify them in your privacy information for the individuals.
- You can only use the personal data for a new purpose if either this is compatible with your original purpose; you get consent; or you have a clear obligation/function set out in law.
Data minimisation must be:
- Adequate – sufficient to properly fulfil your stated purpose.
- Relevant – has a rational link to that purpose.
- Limited to what is necessary – you do not hold more than you need for that purpose.
- You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading in any matter or any fact.
- You may need to keep the personal data updated, although this will depend on what you are using it for.
- If you discover that personal data is incorrect or misleading, you must take reasonable steps to correct or erase it as soon as possible.
- You must carefully consider any challenges to the accuracy of personal data.
- You must not keep personal data for longer than you need it.
- You need to think about, and be able to justify, how long you keep personal data. This will depend on your purposes for holding the data.
- You need a policy which sets out standard retention periods wherever possible, to comply with documentation requirements.
- You should also periodically review the data you hold, and erase or anonymise it when you no longer need it.
- You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
- You can keep personal data for longer if you are only keeping it for public interest, archiving, scientific or historical research, or statistical purposes.
Integrity and confidentiality
- You must ensure that you have appropriate security measures in place to protect the personal data you hold.
- The accountability principle requires you to take responsibility for what you do with personal data and how you comply with the other principles.
- You must have appropriate measures and records in place to be able to demonstrate your compliance.
Seven Guiding Principles
In summary, think of the 7 principles of GDPR as way-markers on your GDPR compliance journey. InfoLore can help walk you through them, but this is just the start. GDPR is time structured, time sensitive and challenging. If you require any help with your GDPR audits, documentation, policies or training, contact us today.