The UK GDPR requires anyone who handles personal data to comply with 7 principles that act as a set of rules for processing information about living people.
Data controllers are responsible for demonstrating compliance with the 7 principles of GDPR. If the data controller does not follow the 7 data protection principles, they are not complying with the GDPR and, as a consequence, are breaking the law.
Failure to comply with the data protection principles can have serious consequences for both data controllers and data processors. These include potential penalties of millions of pounds, bringing the real threat of business insolvency as well as loss of reputation.
A key point to remember about the UK GDPR is that it only applies to the processing of personal data on living people. Information about a deceased person does not constitute personal data and therefore is not subject to the UK GDPR.
What is a data controller?
A data controller is a person or organisation who determines the purpose of data and the way in which the data is processed.
What is a data processor?
A data processor is anyone who processes personal data on behalf of the data controller. This processing may be storing data, retrieving data, running payroll, marketing activities, or providing security for data.
What is personal data?
Personal data is information that relates to an identified or identifiable individual. Information includes names, birthdays, addresses, National Insurance numbers and IP addresses – in fact, pretty much any information that identifies an individual.
Some kinds of personal data are classed as sensitive personal data.
What is sensitive personal data?
Sensitive personal data includes information about personal preferences, opinions and background such as religion, trade union membership, political opinions and sexual preferences.
Sensitive personal data also includes biometric and genetic data that can uniquely identify an individual. This means that fingerprint, retina scan and DNA records are also all examples of sensitive personal data if by using the data you can identity an individual.
The 7 GDPR principles
Article 5 of the UK GDPR sets out seven key principles and following these principles is the key to complying with the UK GDPR.
UK GDPR requires that personal data shall be:
1. Processed lawfully, fairly and in a transparent manner
The first condition of lawful processing is consent.
Consent means a person giving permission to use their personal data. You must obtain consent to record and process personal data. As well as giving consent, there must be simple ways for a person to withdraw consent.
The request for consent must be separate from other terms and conditions in an agreement.
Consent must be a specific and unambiguous opt-in. This means that if a person gives you their consent to use personal data for one thing, you cannot use the personal data for a different purpose, nor can you claim the person gave consent because they did not tick an opt-out box.
You do not always need consent before processing personal data. For example, if you process information as part of a contract the person is entering into, consent is not necessary.
2. Collected for specified, explicit and legitimate purposes
Personal data must be used for the purpose stated when it was obtained from the individual and when the organisation collecting the data registered with the ICO.
This means, for example, that you cannot sell or give away personal data unless you obtain consent from the individual and use the data in the way that you said you would when you registered with the ICO.
In some situations you can use personal data for another purpose, if it is fair. For instance, it would be fair use of personal information to notify the emergency services if a care worker visited an individual to carry out an assessment and found the person had a medical emergency.
3. Adequate, relevant and limited to what is necessary
The third principle requires that the personal data processed should only have enough detail for the purpose it is being used for – and no more.
4. Accurate and up-to-date
The fourth principle requires that personal data must be accurate and kept up to date.
- If a next of kin changes address then you must update records.
- If a person pays an outstanding loan, you should record it as paid.
- If someone has died, you should remove their name from mailing lists.
5. Kept for no longer than is necessary
The fifth principle requires that the information must not be kept longer than is necessary for the registered purpose.
You should dispose of personal data when you no longer need it. This will help ensure the personal data processed is kept to a minimum (Principle 3) and will reduce the risk that it will become inaccurate, out of date or irrelevant (Principle 4).
6. Processed in a manner that ensures security
The sixth principle is that personal data must be kept safe and secure from accidental or deliberate unauthorised access and use. To prevent the loss of personal data a back up process must be put in place.
This is not just about preventing fraud and other crime. It is also about maintaining confidentiality and preventing the loss of important information.
Measures for keeping personal data safe include:
- Vet staff – carry out identity checks and check references.
- Train your staff so they understand the importance of protecting personal data.
- Prevent the theft or loss of equipment, for example by keeping portable equipment secure.
- Dispose of old equipment and paper records securely.
- Have secure access and where appropriate, alarms, security lighting or CCTV.
- Control visitor access to premises and supervise them when on site.
- Dispose of paper waste securely, for example by shredding it.
- Adopt information security policies including what action to take if there is a breach in security.
7. The data controller is responsible for, and can demonstrate, compliance with the other 6 principles
Finally, principle 7 states that the data controller shall be responsible for, and be able to demonstrate, compliance with the other data protection principles.
Therefore, this means that the data controller will be held accountable if the processing of the personal data is not in accordance with data protection legislation.
The data controller needs to provide evidence that they have put effective measures in place to meet the GDPR’s transparency requirements, minimise the risk of breaches of information security and protect personal data.
Measures could include:
- Process the minimum amount of data possible
- Hold data in a format which makes it harder to identify an individual (pseudonymisation)
- Improve transparency by allowing individuals to monitor processing
- Continually improve data storage and data transfer security
- Privacy by design and privacy by default
- Conduct Data Protection Impact Assessments (DPIA)
In some circumstances, compliance requires an organisation to appoint a Data Protection Officer, or DPO for short.
The DPO must have sufficient autonomy and resources to carry out their tasks effectively.
An organisation must appoint a DPO if:
- It is a public authority (except for courts acting in their judicial capacity).
- It carries out large scale systematic monitoring of individuals – such as online behaviour tracking.
- It carries out large scale processing of special categories of data or data relating to criminal convictions and offences.
Need GDPR Training?
We offer the following CPD-certified online GDPR training courses:
- Data Protection and the GDPR Course
- Data Protection and the GDPR (Advanced) Course
- Data Protection and the GDPR for Schools Training Course