Welcome to the second instalment in our mini-series of blog posts on the General Data Protection Regulation.
The blogs provide background to the GPDR and include tips to help you make sure your business has robust data protection processes and procedures in place, which in turn will help ensure compliance with the Data Protection Act 1998 and the GDPR. In our last GDPR blog we summarised the essentials of the GDPR.
If Personal Data is stored in an Organised Filing System and is Processed by any organisation, the Data Protection Act 1998 and, from 25 May 2018, the GDPR will kick in.
What is “Personal Data”?
Data from which a living person (the data subject) can be identified including:
- First name
- Last name
- Email address
- Postal address
- Phone number
And so on…
What is an “Organised Filing System”?
- Files stored logically on a computer system – in practice, most files stored on a computer will be in an organised filing system
- Paper files stored alphabetically, chronologically or otherwise in a logical order
What is “Processing”?
Processing means doing anything with the Personal Data, including:
- Storing / holding
If an organisation processes Personal Data, it must satisfy one of the grounds set out in the GDPR for doing so:
Has the data subject provided express, specific consent to the processing? If so, the organisation is entitled to process that data subject’s personal data.
The next blog in this mini-series will discuss consent and the implications and requirements of the GDPR around consent in more detail.
Does the organisation have a legitimate interest for processing the data subject’s personal data? In other words, would the data subject be surprised or upset about the data processing?
There are 2 key questions to consider:
- Does the organisation need to process the personal data for the purposes of its relationship with the data subject?
- Does the processing have a prejudicial effect on the rights, freedoms or legitimate interests of the data subject?
Is processing necessary to perform a contract with the data subject? For example, an online retailer needs to process a customer’s address and payment information to provide it with the products purchased. The data must be processed only to the extent necessary to fulfil the contract.
Is processing necessary to comply with a court order, a regulation or other legal requirement?
Is processing the personal data a matter of life and death? This ground covers humanitarian crises such as tracking natural disasters or medical emergencies.
Is processing necessary for performing a task in the public interest or pursuant to an official authority? This ground covers, for example, a public authority investigating a crime.
Additional protections apply under the GDPR if data is processed in respect of children under the age of 16.
Special Categories of Data
If an organisation processes Special Categories of Data (“sensitive personal data” under the Data Protection Act 1998), it must satisfy additional criteria. Special Categories of Data includes religious and political views, sexual orientation, health and genetic data.
Find out more…
This article was written with the assistance of Anouj Patel.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.