The GDPR has introduced a number of new principles to ensure that information is recorded, kept and readily available if a request is made by a data citizen or Independent public authority (I.e. a public service agency or any other government sector agency). Data controllers will now have to be able to demonstrate that the appropriate new measures are in place to avoid breaching their customers’ increased rights to privacy. These new principles are embedded within Data protection by design and default and Privacy Impact Assessments.
The new principles require data controllers to implement appropriate technical and organisational measures to ensure that only personal data that is necessary for processing, is actually processed. To comply with these principles, data controllers should take into account:
The amount of data collected/the extent of the processing i.e. to only collect whats required, rather than taking excess information such as sell numbers or date of birth etc.
To exemplify this, if you were to sign up to a new social media service, typically you would be required to enter your name and email address (and sometimes your mobile phone number). However, if this new service then published your personal information such as age, location etc. to the public rather than just your connections, this would be a clear breach of the privacy by default principle. Data controllers should ensure that personal data is not made available or accessible to an indefinite number of people to provide that specific service.
Data controllers should also be complying with the new principles whereby they can search for and extract all personal data of a particular data subject. With full accountability, it is a data controller’s responsibility to provide this information upon the request of supervisory authority.
Privacy Impact Assessments (PIA’s) were originally set up to help organisations identify and reduce their exposure to privacy risks. The GDPR has set out a list of activities to trigger the need to carry out PIA’s prior to the processing of personal data. This list includes:
The DAC Beachcroft guidebook for GDPR states that, to ensure the PIA’s include adequate information for the superiority authority, the assessment should include the following:
Next month we will be providing insight into the Data Protection Officers of the GDPR. If you would like to discuss the GDPR further please get in contact with us via: firstname.lastname@example.org