General Policy and Records

The GDPR has introduced a number of new principles to ensure that information is recorded, kept and readily available if a request is made by a data citizen or Independent public authority (I.e. a public service agency or any other government sector agency). Data controllers will now have to be able to demonstrate that the appropriate new measures are in place to avoid breaching their customers’ increased rights to privacy. These new principles are embedded within Data protection by design and default and Privacy Impact Assessments.

 Data protection by design and by default

The new principles require data controllers to implement appropriate technical and organisational measures to ensure that only personal data that is necessary for processing, is actually processed. To comply with these principles, data controllers should take into account:

The amount of data collected/the extent of the processing i.e. to only collect whats required, rather than taking excess information such as sell numbers or date of birth etc.

  • The period of storage. i.e. discarding of the data once the subscription/membership has ended.
  • The accessibility of the data i.e. The data collected isn’t made available/accessible to an indifferent number of people.

To exemplify this, if you were to sign up to a new social media service, typically you would be required to enter your name and email address (and sometimes your mobile phone number). However, if this new service then published your personal information such as age, location etc. to the public rather than just your connections, this would be a clear breach of the privacy by default principle. Data controllers should ensure that personal data is not made available or accessible to an indefinite number of people to provide that specific service.

Data controllers should also be complying with the new principles whereby they can search for and extract all personal data of a particular data subject. With full accountability, it is a data controller’s responsibility to provide this information upon the request of supervisory authority.

 Privacy Impact Assessments

Privacy Impact Assessments (PIA’s) were originally set up to help organisations identify and reduce their exposure to privacy risks. The GDPR has set out a list of activities to trigger the need to carry out PIA’s prior to the processing of personal data. This list includes:

  • Monitoring activities which are systematic and extensive and which use automated processing of personal data in order to evaluate, analyse or predict behaviour;
  • Large scale processing of sensitive personal data; and
  • Systematic monitoring of publicly accessible information on a large scale.

The DAC Beachcroft guidebook for GDPR states that, to ensure the PIA’s include adequate information for the superiority authority, the assessment should include the following:

  • A description of the processing, including the legitimate interest pursued by the data controller;
  • An assessment of the necessity and proportionality of the processing;
  • An assessment of the risks to the rights and freedoms of data subjects; and
  • The safeguards and measures to protect against those risks.

Next month we will be providing insight into the Data Protection Officers of the GDPR. If you would like to discuss the GDPR further please get in contact with us via: cyber@safeonline.com