In our previous note (http://www.punklegal.co.uk/blog/gdpr-grossly-dis-proportionate-reaction), we outlined some of the basics behind the new data protection regime. This follow up includes more detailed analysis of some key aspects of GDPR.
Data Protection Principles
Article 5 of GDPR contains 6 principles which all Data Controllers and Data Processors must comply with:
- Lawful, fair and transparent processing of data.
- There must be a specified, explicit and legitimate purpose for collecting data. The Personal Data cannot then be further processed in a manner that is incompatible with that purpose.
- Proportionality – processing must be adequate, relevant and limited to what is necessary in relation to the purposes for which the Personal Data was collected.
- Personal data must be accurate and up to date. This includes an obligation to correct or delete inaccurate data.
- Storage – Personal Data should be kept in a form where Data Subjects can be identified for as short as time as possible.
- Security – all Personal Data must be processed and kept securely. This includes preventing the unauthorised and unlawful processing of data, as well as protection against accidental loss or destruction.
If you are the Data Controller, it is incumbent on you to ensure that the Data Processor complies with these obligations.
In addition to the general principles outlined above, in order to lawfully process Personal Data, a Data Controller must have at least one lawful basis to do so. There are 6 lawful bases given in GDPR:
- Consent – as mentioned in our previous note, the requirements for valid consent have been toughened up under GDPR, with specific, positive consent now required for specified processing purposes.
- Contract fulfillment – where the Personal Data must be processed to fulfill your contractual obligations to a Data Subject or to take pre-contractual steps at the Data Subject’s request.
- Legal obligation – where the controller has a legal obligation to process the Personal Data, so long as the processing is necessary.
- Vital interests – this is likely to apply where the processing is necessary to protect life of the Data Subject or another individual.
- Public task – the processing is necessary to act in the public interest or to exercise an official function of the Data Controller.
- Legitimate interest – a potentially broad category. The Data Controller needs to identify the legitimate interest (either of the Data Controller or a third party), show that processing is necessary to achieve it and balance it against the data subject’s interests and rights.
The lawful basis to process Personal Data must be ascertained before any processing is commenced. If there is a change in purpose for processing Personal Data, this may lead to the existing basis for processing becoming invalid and this should be checked before the change takes place.
Additional Requirements for Special Category Data
In the previous note, we outlined what comprises Special Category Data (previously referred to as sensitive personal data). Where this is being processed, at least one of the special data conditions must be satisfied.
In addition to Consent, Vital interests, Public task and Legitimate interests (for certain types of non-profit organisation) as set out above, additional conditions are as follows:
- Employment – the processing is necessary for the controller to exercise its rights or obligations to the Data Subject in the context of the employment, social security or social protection of the data subject.
- Public domain – the Personal Data was manifestly put into the public domain by the Data Subject.
- Legal proceedings – processing is necessary for the establishment, exercise or defence of legal claims or by a court acting in its judicial capacity.
- Preventive or Occupational medicine – the personal data is processed to assess the working capacity of the Data Subject or to provide treatment or care.
- Public Health interest – protecting against things like cross border health threats or ensuring standards of medical care and products.
- Archiving – the processing is required for archiving in the public interest, scientific, historical or statistical research, provided that it remains proportionate.
It is imperative that, as a business, you understand the conditions under which you are processing personal data. Best practice will be to record all of these reasons in advance of commencing any processing so that a documented audit trail is in place.
A final point to be aware of on this subject is the additional responsibilities relating to processing Personal Data relating to children. This is a complex area (and warrants a full briefing for those involved in the area) but some key points to note are as follows:
- A child under the age of 13 cannot give consent to data processing. If you are looking to rely on consent as your basis for processing data, parental consent is required.
- Privacy notices that may be accessed by children will need to be drafted in ways that they can easily understand.
- Where there is likely to be processing of children’s data, then this should be considered in initial designs of any process to ensure suitability.
Please keep an eye out for our future updates. In these, we aim to help you identify areas of importance to businesses, so that you can ensure that your risks are covered off. You should also remember that the Information Commissioner’s website (https://ico.org.uk/) has many useful articles and checklists to help you steer clear of trouble.
This update is for general information only and is not legal advice. If you need assistance, please get in touch.