The GDPR reinforces the established principles governing data protection. These principles include processing data lawfully, obtaining valid consent from individuals you are collecting data from, and making sure the rights of individuals are protected (ie the right to object to their data being processed or the right to withdraw consent).
Lawful processing
When collecting personal data, you must make sure the data is:
-
used fairly, lawfully and in a transparent manner
-
collected for specified, explicit and legitimate purposes
-
adequate and relevant, and its collection is limited to what is necessary
-
accurate and kept up to date
-
kept for no longer than necessary
-
handled according to the data protection rights of individuals
-
stored in a way that protects the data against unlawful processing and accidental loss, and
-
not transferred outside the UK without adequate protection. Data transfers to the EEA and certain other states are covered by adequacy decisions
Consent
For consent to be valid, it must be:
Consent must consist of clear affirmative action, therefore silence, pre-ticked boxes or inactivity don't constitute valid consent. In addition, consent to process 'special category’ personal data (ie particularly sensitive data, such as information about racial origin, political opinions, religious beliefs, health, sexual orientation or criminal records) and consent to transfer personal data outside the UK or EU must be explicit (ie affirmed in a clear statement).
Individuals must be able to withdraw their consent at any time using a one-step process. It must be as easy to withdraw the consent as it was to give it (eg if data subjects simply ticked a box to express their consent, they should be able to withdraw the consent as easily).
Individuals' rights
The GDPR provides additional rights for individuals, including:
-
the right to erasure (or 'right to be forgotten'): individuals have the right to ask companies holding data about them to erase that data upon request if there's no compelling reason to continue processing the data.
-
the right to access data: data processors must comply with a request to access data without delay, and at the latest within one month of the request (this can be extended to two months if the request is too complex). However, you can refuse to respond to the request if it is manifestly unfounded or excessive.
-
the right to data portability: when data processing is carried out by automated means, individuals have the right to access their personal data in a machine-readable format (which allows access to the data in a portable and safe way).
For more information, read Data protection requests.
Breach notification
Data breaches are breaches of security that lead to, for example, the destruction, loss, alteration or unauthorised disclosure of personal data. Most data breaches must be reported to the relevant supervisory authority. In the UK this is the Information Commissioner’s Office (ICO). If the breach is likely to pose a high risk to the affected individuals’ rights and freedoms, it should also be reported to these individuals. If feasible, the breach must be reported within 72 hours of your becoming aware of it.
For more information, see the ICO guidance.