The GDPR, known as the General Data Protection Regulation (EU) 2016/679, is an EU regulation that established new standards for handling personal data. It took effect on 25 May 2018 and applies to organizations processing personal information of individuals within the EEA. In the UK, the Data Protection Act (DPA) 2018 works alongside the GDPR and incorporates the "UK GDPR," which refers to the adopted GDPR regulations applied to personal data processing in the UK after Brexit, ensuring GDPR compliance.
Being a European regulation, the GDPR was directly enforceable in the UK until its departure from the EU at the end of the transition period, which occurred on 31 December 2020. Its main objective was to create a unified and consistent framework for data protection laws among EU member states while enhancing individuals' rights and protection regarding the processing of their personal data.
The GDPR is supported by seven principles (commonly referred to as six plus one) that outline its fundamental goals and purposes.
After the transition period, the UK became a third country, and its relationship with the EU is now based on a conditional adequacy decision granted by the European Commission in June 2021. This decision ensures uninterrupted free flow of personal data from the EU to the UK, maintaining GDPR compliance.
Seven GDPR principles
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability.
GDPR principles, with the exception of accountability, align closely with those already existing in previous data protection laws in the UK, such as the DPA 1998. If your organization functions as a controller or processor of personal data, it is essential to implement suitable technical and organizational measures to uphold the data protection principles. Essentially, your information systems need to be designed with privacy as a fundamental consideration. According to the accountability principle, your organization holds the responsibility of complying with the GDPR and demonstrating that compliance. One of your obligations, for instance, involves reporting specific types of personal data breaches to the relevant supervisory authority, namely the Information Commissioner's Office (ICO) in the UK. It is also crucial to report such breaches within 72 hours of becoming aware of them, if feasible. Failure to notify a breach can result in a substantial fine of up to 10 million euros or 2 percent of your global turnover, underscoring the importance of establishing robust procedures for breach detection, investigation, recording, and internal reporting.
Moreover, your organization must ensure that it processes personal data based on one of the six lawful bases specified by the GDPR.
What are the six lawful bases?
Consent
Contract
Public task
Vital interest
Legitimate interest
Legal requirement
Among these six bases, none carries greater significance or importance than the others. The choice of the most appropriate basis depends on the purpose and relationship with the data subject. In most cases, processing must be deemed "necessary" for a specific purpose in order to meet the requirements of the chosen lawful basis. If it is reasonably possible to achieve the same purpose without processing personal data, then a lawful basis does not exist. It is crucial to determine the lawful basis before commencing any processing activities and document it accordingly. Additionally, the chosen lawful basis and the purposes of processing must be clearly stated in the privacy notice. Care should be taken when obtaining consent for processing, ensuring that the data subject is fully informed and capable of withdrawing consent if desired.
If the purpose of processing changes and existing personal data is to be used for a new purpose, the original lawful basis can only be continued if the new purpose aligns with the original reasons for collecting the data (unless the original lawful basis was consent). Furthermore, caution must be exercised when processing special category or criminal conviction data, as an additional condition for processing these types of data needs to be identified. For processing criminal conviction data or alleged offenses, it is necessary to verify whether such processing is permitted.
It is also essential for your organization to uphold the rights of data subjects as outlined in the GDPR.
The eight rights
The right to be informed
The right of access
The right to rectification
The right to erasure
The right to restrict processing
The right to data portability
The right to object
Rights around automated decision-making and profiling.
How to Ensure GDPR Compliance?
To comply with the GDPR principles, including accountability, your organization must prioritize the following:
Lawfulness, fairness, and transparency:
Ensure that your data collection and processing practices are lawful, avoiding any actions that breach regulations.
Determine and document the lawful basis for collecting and using personal data.
Process personal data in a manner that is fair, non-detrimental, and transparent to the data subjects.
Clearly communicate your data processing activities, purposes, and methods in your privacy notice.
Purpose limitation:
Collect personal data only for specific, explicit, and legitimate purposes.
Document and specify these purposes in your organizational documentation and privacy policy.
Store personal data only for as long as necessary to fulfill the stated purpose.
Data minimization:
Ensure that the personal data processed is adequate, relevant, and limited to what is necessary for the stated purpose.
Avoid collecting unnecessary information to facilitate accurate data management, minimize the risk of data breaches, and simplify compliance with data subject rights.
Accuracy:
Take reasonable steps to maintain the accuracy of the personal data you process.
Correct or erase any identified incorrect or misleading data promptly.
Respect data subjects' right to request rectification or erasure of inaccurate or incomplete data.
Storage limitation:
Retain personal data only for the duration required to fulfill the defined processing purposes.
Develop a policy specifying standard retention periods to comply with documentation requirements.
Regularly review and delete or anonymize personal data when it is no longer needed.
Be prepared to justify and defend your retention periods when challenged by data subjects.
Integrity and confidentiality:
Process personal data in a manner that ensures appropriate security measures against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Assess and address risks based on the nature, scope, context, and purpose of your data processing activities.
Implement access controls, encryption, pseudonymization, and other technical, organizational, and physical security measures relevant to the personal data being processed.
Accountability:
Establish a culture of accountability and responsibility for complying with the GDPR.
Implement a data protection by design and default approach.
Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
Develop and enforce data protection policies, processes, and documentation.
Maintain written contracts with data processors.
Provide training and awareness programs for staff.
Adhere to relevant codes of conduct and comply with management system standards.
Appoint a Data Protection Officer if required.
Record and report personal data breaches as necessary.
Regularly review and update measures to ensure ongoing compliance with the accountability principle.
Remember that accountability is an ongoing obligation, requiring continuous review and improvement. Being fully accountable and maintaining comprehensive systems and documentation will help mitigate the impact of any investigations or breaches. Administrative breaches of the GDPR can also result in significant fines imposed by supervisory authorities, such as the ICO in the UK. By following these guidelines and remaining vigilant, your organization can ensure GDPR compliance and protect the rights of data subjects.