The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance.
You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.
Under the GDPR, the data protection principles set out the main responsibilities for organisations.
The principles are similar to those in the DPA, with added detail at certain points and a new accountability requirement. The GDPR does not have principles relating to individuals’ rights or overseas transfers of personal data - these are specifically addressed in separate articles (see GDPR Chapter III and Chapter V respectively).
The most significant addition is the accountability principle. The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity.
Lawful processing
For processing to be lawful under the GDPR, you need to identify a lawful basis before you can process personal data. These are often referred to as the “conditions for processing” under the DPA.
It is important that you determine your lawful basis for processing personal data and document this.
This becomes more of an issue under the GDPR because your lawful basis for processing has an effect on individuals’ rights. For example, if you rely on someone’s consent to process their data, they will generally have stronger rights, for example to have their data deleted.
The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA.
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance.
You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.
The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected.
Ready?
Ask us anything about HR, Health & Safety or Employment Law. With over 60 years experience we promise to help.
What is a personal data breach?
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
How can I demonstrate that I comply?
You must:
a. Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
b. Maintain relevant documentation on processing activities.
c. Where appropriate, appoint a data protection officer.
d. Implement measures that meet the principles of data protection by design and data protection by default. Measures could include:
Data minimisation;
Pseudonymisation;
a. Transparency;
b. Allowing individuals to monitor processing; and
c. Creating and improving security features on an ongoing basis.
d. Use data protection impact assessments where appropriate.
You can also adhere to approved codes of conduct and/or certification schemes.
Records of processing activities (documentation)
As well as your obligation to provide comprehensive, clear and transparent privacy policies (see section on Individual rights), if your organisation has more than 250 employees, you must maintain additional internal records of your processing activities.
If your organisation has less than 250 employees you are required to maintain records of activities related to higher risk processing, such as:
• processing personal data that could result in a risk to the rights and freedoms of individual; or
• processing of special categories of data or criminal convictions and offences.
What do I need to record?
You must maintain internal records of processing activities. You must record the following information. There are some similarities with ‘registrable particulars’ under the DPA which must be notified to the ICO.
a. Name and details of your organisation (and where applicable, of other controllers, your representative and data protection officer).
b. Purposes of the processing.
c. Description of the categories of individuals and categories of personal data.
d. Categories of recipients of personal data.
e. Details of transfers to third countries including documentation of the transfer mechanism safeguards in place.
f. Retention schedules.
g. Description of technical and organisational security measures.
You may be required to make these records available to the relevant supervisory authority for purposes of an investigation.
Seven reasons why you should sit your GDPR Practitioner course with
Online General Data Protection Regulations GDPR Training
Online GDPR (General Data Protection Regulations) training for staff.
This CPD accredited course is organised in small digestible chunks, with real world scenarios and stimulating ‘what would you do’ questions. Interactive eLearning makes it easier for learners to understand the principles of the GDPR in action. Testing on the General Data Protection Regulations and getting a GDPR training certificate helps them feel confident that they and colleagues won’t breach the regulations.
Cheat-resistant testing
Ready-to-use or editable
Multi-Language support
online GDPR compliance staff training/e-learning for charities, businesses and public organisations helps ensure confidentiality and data privacy and help to avoid GDPR fines and sanctions.
Target audience | All staff/Anyone who works with personal data |
Duration | 20 minutes awareness module for all staff and 40 minute comprehensive module for those working with data. |
Certification | CPD |
