GDPR stands for the General Data Protection Regulation, which is part of the Data Protection Act 2018.
This regulation relates to the handling of personal data by companies storing personal information, whether this is in a private, public, or work capacity.
Keep reading to learn more about your business responsibilities under GDPR.
What is personal information in GDPR?
Personal data includes information that allows individuals to be identified directly from the information in a question or can be indirectly identified from the information provided in one question combined with another.
Personal data also includes special categories such as criminal convictions and offences; these are considered to be more sensitive and can only be processed in limited circumstances.
An individual is ‘identifiable’ when you can distinguish them from other individuals. For example, names, possibly the most common identifier.
However, whether any potential identifier actually identifies an individual depends on the context. This means that a combination of identifiers may be required to identify an individual.
Examples of identifiers according to the UK GDPR include names, identification numbers, location data, online identifiers (e.g., IP addresses and cookies).
Information must ‘relate’ to the identifiable individual to be considered personal data meaning that this data does more than just identify them – it must concern an individual in some way. Things to consider when deciding whether data relates to an individual or not include:
- Context – is data directly about an individual/ their activities
- Purpose for processing
- Results/effects on an individual
There may be circumstances that make it hard to determine whether data is personal. In this case, treat the data with care, as a matter of best practice, ensuring your reasoning for processing this data is clear and you hold this data securely.
What are the business obligations under GDPR?
Businesses must follow rules on data protection when it comes to information kept on staff, customers, and account holders. For example, when you recruit staff, manage staff records, market your products or services, and use CCTV.
You must tell an individual that they have a right to see the data you are holding about them, delete their data, and request their data is not used for a certain purpose.
You must tell the Information Commissioner’s Office how your business uses personal information. And you must respond to a data protection request, if someone asks to see what information you have about them.
If you misuse personal data held by your company, you could face a heavy fine or be made to pay compensation.
What are the seven key principles of GDPR?
- Lawfulness, fairness, and transparency:
- You must identify specific grounds for the processing of personal data to be considered lawful.
- This also means that you mustn’t do anything with the data that is unlawful in a more general sense.
- You must handle personal data fairly, meaning in ways that people would reasonably expect with no unjustified adverse effects on them.
- This links with transparency, as processing must clear, open, and honest from the start, including details such as who you are, and how and why you are using personal data.
- Purpose limitation:
- You must be clear about why you are collecting personal data and what you intend to use data for. This enables you to remain accountable for your processing and avoids becoming a ‘function creep’. This helps build public trust in how their personal data is used.
- Data minimisation:
- You must identify the minimum amount of personal data you require to fulfil your purpose and should not exceed this amount of data.
- You must take reasonable steps to ensure the accuracy of any personal data.
- Ensure that the source and status of the personal data is clear.
- Consider the challenges to the accuracy of the information and whether it is necessary to update periodically.
- Storage limitation:
- You must erase or anonymise personal data when you no longer need it, thus reducing risks of it becoming irrelevant, excessive, inaccurate, or out of date.
- This also reduces the risk of using the data in error, which could be detrimental for all concerned.
- Integrity and confidentiality (security):
- You must have appropriate security measures in place to protect all personal data held by yourself.
- You must take responsibility for what you do with personal data and how you comply with the other principles.
- You are required to have appropriate measures and records in place to demonstrate your compliance.
How can WA Management help?
WA Management offer an online General Data Protection Regulations training course suitable for any managers and employees who handle data.
Cyber Security, GDPR & Phishing Awareness training courses are essential tools in protecting your business from cyber and data risks. Make sure you don’t miss out on our 10% off deal on these courses, available until the end of December. Simply enter the code ‘cyber10’ at checkout to save!
Read more Consultant’s blogs here.
To keep up to date with the latest health & safety news and advice, follow us on social media: