In this series of frequently asked questions, this article will look at those asked when people get a little more involved with their data protection journey.
If you want to check how well you are doing, or realising that you aren’t doing things right, these are the things to ensure are being asked, or done, to get you further down the road for compliance with The Data Protection Act 2018 and/or The GDPR.
Question 1: What are principles of data protection?
Answer
These are the ways in which you believe you can collate, process, store and destroy personal information as described in the Data Protection Act 2018. As a list they are; a) Lawful, fair and transparent, b) Purpose limitation, c) Data minimisation, d) Accuracy, e) Storage limitation, f) Integrity and confidentiality and g) Accountability.
Question 2: What are the rights of individuals?
Answer
These are the obligations that you have to consider when designing the processes to collate, process, store and destroy personal information. As a list they are; a) Informed, b) Access, c) Rectification, d) Erasure, e) Restrict Processing, f) Data Portability, g) Object and h) Matters regarding automation.
Question: What are bases of processing?
Answer
These are the ways in which you are allowed to categorise the reasons you collate, process, store and destroy personal information. As a list they are a) Contract, b) Legitimate Interest, c) Legal Obligation, d) Vital Interest, e) Public Task (or public interest) and f) Consent
Question 3: How do I know when consent is the right way to process someone’s personal information?
Answer
The short answer is when none of the other bases of processing fit. Some of the most common areas where consent is required are; a) sharing data, b) inclusion in direct marketing, c) use of imagery.
Question 4: What do they mean by there are two types of personal data?
Answer
There are basically two types of personal data, in law, the second being Special Category Data. There are nine specified types of Special Category Data in GDPR. However, it is best summarised as data that is sensitive and most likely to affect the rights and freedoms of an individual. It is therefore, possible to lead to discrimination if not controlled correctly.
Depending on your organisation, there may be information not in the nine listed by the ICO that could be classed as sensitive and could be treated as Special Category Data for you.
For more information see http://eye.validusmedia.com/data-types-gdpr/.
Question 5: What am I meant to differently with Special Category data?
Answer
Special category data cannot usually be processed using “contract” as a basis for processing so you should have way of using Legitimate Interest, or Legal Obligation, as the basis for processing it.
There should also be some more strict controls around it, for example store it using an encrypted data channel, or more securely than you would store other personal data.
Question 6: How does pseudomisation help me in my processes?
Answer
When personal data reaches the end of its storage period, as per your data policy, pseudomising the data can retain certain traits and records for your organisations business interactions. It can help identify changes in trends and where your ideal customer now resides for marketing on social media, etc.
Where possible, pseudomisation should be used for any process where the supply of personal data is optional. This should remove the link between any contractual information and sensitive information.
Question 7: How do I prepare for a data breach?
Answer
Advice from the ICO is that you should have the following prepared. A data breach recording process and a process to report any qualifying breaches to the ICO. It is important to remember that where a breach requires to be reported to the ICO it must happen within 3 calendar days of identifying the breach. Your data controller should have received appropriate training to communicate with the ICO.
Question 8: What does a data controller have to do?
Answer
The Data Controller is the hub of your data protection environment. They are the person with the duty to create and present the policies for approval. They should monitor how well the processes match the obligations created in the policies.
They would also initiate the review processes to assist in the control of any third-party services your company initiates, and how closely your social media policy is followed. Their final task is to interact with the ICO if the worst were to happen and a breach was identified that required reporting to the ICO.
Question 9: What training do I have to undertake and provide?
Answer
The regulations do not stipulate the level of training managers and/or owners have to take. The stipulation is that the most senior management of any organisation are accountable for the compliance with data protection legislation.
This means that what is learnt at the top must be appropriately disseminated to staff so that they do not fall foul of the regulations.
Training does not have to be provided from within the company. At Eye Bray, we have a suite of sessions pre-prepared to suit the needs of SME’s
Question 10: What do my staff have to worry about?
Answer
Staff need to be aware of their obligations when processing personal information. This means that they need to receive training appropriate to their role. This means understand the implications of doing things wrong. Doing things wrong, in this instance, would be acting outside of the agreed procedure, including the possibility of receiving a financial penalty.
There is a part 2 to this blog so don’t miss it!
Don’t have a piece missing from your data protection puzzle. Read http://eye.validusmedia.com/faq-your-data-protection-journey-part-2/ for the second ten questions about moving on with your data protection journey.
If you need to go back to the first steps, read http://eye.validusmedia.com/frequently-asked-questions-about-the-first-steps-on-your-data-protection-journey/ to remember where it all starts.
More detailed articles can be found at http://eye.validusmedia.com/category/gdpr/
There is so much more information available, some of it very detailed. Please look through the other blogs and see if the information you want is provided.
If not, we would be pleased to answer your enquiry through enquiries@eye.validusmedia.com , or by calling 0743211611.
Alternatively visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ for more information direct from the ICO.