You should organise an information audit across your business or within particular business areas. One person with in-depth knowledge of your working practices may be able to do this.
This will identify the data that you process and how it flows into, through and out of your business.
Remember, an information flow can include a transfer of information from one location to another. For example, the information may stay within your business yet a transfer takes place because the department or other office is located elsewhere (off site).
Having audited your information, you should then be able to identify any risks.
Once you have completed your information audit, you should document your findings, for example in an information asset register.
Doing this will also help you to comply with the GDPR’s accountability principle. This requires your business to be able to show how you comply with the GDPR principles, for example by having effective procedures and guidance for staff.
You must record:
If you have fewer than 250 employees you only need to keep these records for processing activities that:
You may be required to make these records available to the ICO on request.
You need to identify your lawful basis before you can process personal data.
There are six available lawful bases for processing. No single basis is better or more important than the others. The basis that is most appropriate will depend on your purpose for processing and relationship with the individual.
In summary, the six lawful bases are:
If you are processing special category data or criminal offence data you need to identify both a lawful basis for general processing and an additional condition (Article 9 condition) for processing this type of data. You need to give individuals information about how you intend to process their personal data and what your lawful basis is for doing so.
The GDPR sets a high standard for consent but remember you often won’t need consent. You should also assess whether another lawful basis is more appropriate.
Consent means offering people genuine choice and control over how you use their data. You can build trust and enhance your reputation by using consent properly.
The GDPR builds on the 1998 Act standard of consent in several areas and contains much more detail:
Your obligations don’t end when you first get consent. You should continue to review consent as part of your ongoing relationship with individuals, not a one-off compliance box to tick and file away.
Keep consent under review, and refresh it if anything changes. You should have a system or process to capture these reviews and record any changes.
If your current consent doesn’t meet the GDPR’s high standards or is poorly documented, you need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.
You need to have a lawful basis for processing a child’s personal data.
If you are relying on consent as your lawful basis for processing and are offering online services to children, only a child aged 13 or over will be able to provide their own consent.
You will therefore need to make reasonable efforts to verify that anyone giving their own consent is old enough to do so.
For children under 13 you need to get consent from whoever holds parental responsibility for the child - unless the online services you offer are for preventive or counselling purposes.
You must make reasonable efforts (using available technology) to verify that the person giving consent does, in fact, hold parental responsibility for the child.
The lawful basis for vital interests is very similar to the old condition for processing in the 1998 Act. One key difference is that anyone’s vital interests can now provide a basis for processing, not just those of the data subject themselves. This lawful basis is very limited in its scope, and generally only applies to matters of life and death. It is likely to be particularly relevant for emergency medical care, when you need to process personal data for medical purposes but the individual is incapable of giving consent to the processing. It is unlikely to be appropriate for medical care that is planned in advance or for processing on a larger scale.
As health data is one of the special categories of data, you also need to identify a condition for processing special category data under Article 9.
Provide guidance to staff so they know the circumstances when they may apply this lawful basis.
You need to review your existing processing to identify if you have any ongoing processing for this reason, or are likely to need to process for this reason in future. You should then document where you rely on this basis and inform individuals if relevant.
Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. It is likely to be most appropriate if:
The GDPR specifically mentions use of client or employee data, marketing, fraud prevention, intra-group transfers, or IT security as potential legitimate interests, but this is not an exhaustive list. It also says that you have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.
If you want to rely on legitimate interests, you can use the three-part test, or a legitimate interests assessment (LIA), to assess whether it applies. You should do it before you start the processing.
Firstly, identify the legitimate interest(s). Consider:
Secondly, apply the necessity test. Consider:
Thirdly, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:
If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
After May 2018 you need to pay the ICO a data protection fee.
If you have already registered with the ICO in the last year prior to May 2018, you only need to pay the fee once your current registration expires.
There are three different tiers of fee. Controllers are expected to pay between £40 and £2,900. The fees are set by Parliament to reflect what it believes is appropriate based on the risks posed by the processing of personal data by controllers. The tier you fall into depends on:
Not all controllers must pay a fee. Many can rely on an exemption.
Read our Guide to the Data Protection Fee on our website for more information.
Individuals need to know that you are collecting their data, why you are processing it and who you are sharing it with.
You should publish this privacy information on your website and within any forms or letters you send to individuals. The information must be:
What information you supply depends on whether you obtained the personal data directly from the individual or a third party.
Guide to the GDPR - Right to be informed
You must provide children with the same privacy information as you give adults. It is good practice to also explain the risks involved in the processing and the safeguards you have put in place.
Any information directed at the child should be concise, clear, and written in plain language so that they are able to understand what will happen to their personal data, and what rights they have. It should be age-appropriate and presented in a way that appeals to a young audience. If children younger than your target age range are likely to try and access any online services you provide then try to explain any age limit to them in language they will understand.
Individuals have the right to obtain:
Individuals can request information verbally or in writing. You must provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ when a request is:
You must base the fee on the administrative cost of providing the information.
You must provide information without delay and at least within one calendar month of receiving it. You can extend this by a further two months for complex or numerous requests (in which case you must inform the individual and give an explanation).
You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February).
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond (eg you receive a request on 30 March and the time limit starts from the next day (31 March). As there is no equivalent date in April, you have until 30 April to respond. However, if 30 April falls on a weekend, or is a public holiday, you have until the end of the next working day to respond).
This means that the legal deadline will vary from 28 days to 31 days depending on the month. For practical purposes if a consistent number of days is required (eg for a computer system), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
You must verify the identity of the person making the request, using “reasonable means”.
If the request is made electronically, you should provide the information in a commonly used electronic format.
Individuals have the right to have personal data rectified if it is inaccurate or completed if it is incomplete.
An individual can make a request for rectification verbally or in writing.
You should respond to a request without delay and at least within one month of receipt. You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February).
If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond (eg you receive a request on 30 March and the time limit starts from the next day (31 March). As there is no equivalent date in April, you have until 30 April to respond. However, if 30 April falls on a weekend, or is a public holiday, you will have until the end of the next working day to respond).
This means that the legal deadline will vary from 28 days to 31 days depending on the month. For practical purposes if a consistent number of days is required (eg for a computer system), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
You can extend this period by a further two months for complex or numerous requests (in which case you must inform the individual and explain the delay). It is good practice to make a note on the record showing that it is under dispute and why.
You must verify the identity of the person making the request, using “reasonable means”. If you have shared the personal data with other organisations (for example other controllers or processors) you must inform them of the rectification where possible.
You should regularly review the information you process or store to identify when you need to take action, eg correct inaccurate records. Records management policies, with rules for creating and keeping records (including emails) can help.
Conducting regular data quality reviews of systems and manual records you hold will help to ensure the information continues to be adequate for the purposes you are processing for.
You should also ensure that you complete regular data quality checks to provide assurances on the accuracy of the data being inputted by your staff.
If you identify any data accuracy issues, you should communicate lessons learned to staff through ongoing awareness campaigns and internal training.
Individuals have the right to be forgotten and can request the erasure of personal data when:
Individuals can make a request for erasure verbally or in writing.
You must verify the identity of the person making the request, using “reasonable means”.
You should respond to a request without delay and at least within one month of receipt. You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February).
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond (eg you receive a request on 30 March and the time limit starts from the next day (31 March). As there is no equivalent date in April, you have until 30 April to respond. However, if 30 April falls on a weekend, or is a public holiday, you have until the end of the next working day to respond).
This means that the legal deadline will vary from 28 days to 31 days depending on the month. For practical purposes if a consistent number of days is required (eg for a computer system), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
You can extend this period by a further two months for complex or numerous requests (in which case you must inform the individual and give an explanation).
You can refuse to comply with a request for erasure if you are processing the personal data for the following reasons:
A written retention policy or schedule will remind you when to dispose of various categories of data, and help you plan for its secure disposal.
You should regularly review your retention schedule to make sure it continues to meet business and statutory requirements and agree any amendments with managers and incorporate them into the new schedule.
You should designate responsibility for retention and disposal to an appropriate person.
Individuals have a right to block or restrict the processing of their personal data.
Individuals can make a request verbally or in writing. You must verify the identity of the person making the request, using “reasonable means”.
You should respond to a request without delay and at least within one month of receipt. You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February).
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond (eg you receive a request on 30 March and the time limit starts from the next day (31 March). As there is no equivalent date in April, you have until 30 April to respond. However, if 30 April falls on a weekend, or is a public holiday, you have until the end of the next working day to respond).
This means that the legal deadline will vary from 28 days to 31 days depending on the month. For practical purposes if a consistent number of days is required (eg for a computer system), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month. You can extend this period by a further two months for complex or numerous requests (in which case you must inform the individual and give an explanation).
When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in the future. As a matter of good practice, you should consider restricting the processing of personal data if:
You may need to review procedures to ensure you are able to determine if you need to restrict the processing of personal data.
If you have disclosed the personal data to other organisations (controllers or processors), you must inform them about the restriction, unless it is impossible or involves disproportionate effort to do so.
You must inform individuals when you decide to lift a restriction on processing.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
They can receive personal data or easily move, copy or transfer that data from one business to another in a safe and secure way.
The right to data portability only applies:
You should respond to a request without delay and at least within one month of receipt. You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February).
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond (eg you receive a request on 30 March and the time limit starts from the next day (31 March). As there is no equivalent date in April, you have until 30 April to respond. However, if 30 April falls on a weekend, or is a public holiday, you will have until the end of the next working day to respond).
This means that the legal deadline will vary from 28 days to 31 days depending on the month. For practical purposes if a consistent number of days is required (eg for a computer system), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month. You can extend this period by a further two months for complex or numerous requests (in which case you must inform the individual and give an explanation).
You must provide the personal data in a structured, commonly used and machine readable format. Examples of appropriate formats include CSV and XML files.
You must provide the information free of charge. If the individual requests it, you may be required to transmit the data directly to another business where this is technically feasible.
Individuals have a right to object to the processing of their personal data in certain circumstances. Whether it applies depends on your purposes for processing and your lawful basis for processing. You must inform individuals of their right to object “at the point of first communication” and present it separately from other information on rights clearly laid out in your privacy notice. Individuals can object verbally or in writing.
You must verify the identity of the person making the request, using “reasonable means”.
You should respond to a request without delay and at least within one month of receipt. You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February).
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond (e.g. You receive a request on 30 March and the time limit starts from the next day (31 March). As there is no equivalent date in April, you have until 30 April to respond. However, if 30 April falls on a weekend, or is a public holiday, you have until the end of the next working day to respond).
This means that the legal deadline will vary from 28 days to 31 days depending on the month. For practical purposes if a consistent number of days is required (eg for a computer system), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
You can extend this period by a further two months for complex or numerous requests (in which case you must inform the individual and give an explanation).
If the right to object does apply, it is not always absolute. Whether it is an absolute right depends on your purposes for processing the data.
Individuals have an absolute right to object to any processing (including profiling) undertaken for the purposes of direct marketing.
You must stop processing for direct marketing as soon as you receive an objection. There are no exemptions or grounds to refuse.
Individuals can object, on ‘grounds relating to his or her particular situation’ to processing (including profiling) based on:
In these circumstances the right to object is not absolute. You must stop processing the personal data unless:
If you are processing personal data for the purposes of scientific/historical research purposes or statistical purposes the right to object is more restricted and does not apply if the processing is necessary for the performance of a task carried out for reasons of public interest.
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These are set out in Article 22.
Individuals have the right not to be subject to a decision when:
You can only carry out this type of processing if the decision is:
If one of these exceptions applies you must put in place suitable measures to safeguard the individual’s rights, freedoms and legitimate interests.
These measures must include at least the right for individuals to:
Individuals can exercise these rights verbally or in writing.
You must verify the identity of the person making the request, using “reasonable means”.
You should respond to a request without delay and at least within one month of receipt. You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month. A calendar month ends on the corresponding date of the next month (eg 2 January to 2 February), unless that date does not exist in which case it is the last day of the next month (eg 31 January to 28 February).
If the corresponding date falls on a weekend or a public holiday, you have until the next working day to respond (eg You receive a request on 30 March and the time limit starts from the next day (31 March). As there is no equivalent date in April, you have until 30 April to respond. However, if 30 April falls on a weekend, or is a public holiday, you have until the end of the next working day to respond).
This means that the legal deadline will vary from 28 days to 31 days depending on the month. For practical purposes if a consistent number of days is required (e.g. for a computer system), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
You can extend this period by a further two months for complex or numerous requests (in which case you must inform the individual and give an explanation).
The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular to analyse or predict their:
If the decision involves the processing of special categories of personal data then the exceptions available to justify the processing are more limited. Processing can only take place if:
You should exercise particular caution if you are making an automated decision about a child.
The GDPR requires you to show how you comply with the principles.
A policy will help you address data protection in a consistent manner and demonstrate accountability under the GDPR. This can be a standalone policy statement or part of a general staff policy.
The policy should clearly set out your approach to data protection together with responsibilities for implementing the policy and monitoring compliance.
Management should approve the policy and you should publish and communicate it to all staff. You should review and update the policy updated at planned intervals or when required to ensure it remains relevant.
Documenting policies alone is often not enough to provide assurances that staff are adhering to the processes they outline.
You should ensure that you have a process to monitor compliance to data protection and security policies.
You should regularly test measures that are detailed within the policies to provide assurances about their continued effectiveness.
Responsibility for monitoring compliance with the policy should be independent of the people implementing the policy, to allow the monitoring to be unbiased. Staff should report the results of compliance testing on a regular basis to senior management.
You should brief all staff handling personal data on their data protection responsibilities. It is good practice to provide awareness training on or shortly after appointment with updates at regular intervals or when required.
You should also consider specialist training for staff with specific duties, such as information security and database management and marketing.
Regularly communicating key messages is equally important to reinforce training and maintain awareness (for example intranet articles, circulars, team briefings and posters).
Whenever you use a processor you need to have a written contract in place, or another legal act must apply.
The contract is important so that both parties understand their responsibilities and liabilities.
The GDPR sets out what you need to be include in the contract.
You are directly liable for overall compliance with the GDPR and for demonstrating that compliance. If you don’t achieve this, then you may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures.
You must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.
Processors must only act on your documented instructions. They do however have some direct obligations and responsibilities under the GDPR. If they fail to comply they may be liable to pay damages in legal proceedings, or be subject to fines or other penalties or corrective measures.
You may be able to use adherence by a processor to an approved code of conduct or certification scheme to help demonstrate that you have chosen a suitable processor. However they are not yet available.
In the future, standard contractual clauses may be provided by the European Commission or the ICO, and may form part of a code or certification scheme. However these are not yet available.
You should set out how you (and any of your data processors) manage information risk.
You need to have a senior staff member with responsibility for managing information risks, coordinating procedures put in place to mitigate them and for logging and risk assessing information assets.
Where you have identified information risks, you should have appropriate action plans in place to mitigate any risks that are not tolerated or terminated.
Under the GDPR, you have a general obligation to implement appropriate technical and organisational measures to show that you have considered and integrated data protection into your processing activities. This is referred to as data protection by design and by default.
You should adopt internal policies and implement measures which help you comply with the data protection principles – this could include data minimisation, pseudonymisation and transparency measures.
DPIAs help you identify the most effective way to comply with your data protection obligations and meet individuals’ expectations of privacy.
An effective DPIA will allow you to identify and fix problems at an early stage, reducing the associated costs and damage to your reputation which might otherwise occur.
You must do a DPIA before you begin any type of processing which is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk you need to screen for factors that point to the potential for a widespread or serious impact on individuals.
In particular, the GDPR says you must do a DPIA if you plan to:
The ICO also requires you to do a DPIA if you plan to:
You should also think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals. European guidance (link to WP248) provides a number of criteria that you can compare your intended processing against so see if a DPIA should be undertaken.
Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.
The DPIA should contain the following information:
If you have carried out a DPIA that identifies a high risk, and you cannot take any measures to reduce this risk, you need to consult the ICO. You cannot go ahead with the processing until you have done so.
The focus is on the ‘residual risk’ after any mitigating measures have been taken. If your DPIA identified a high risk, but you have taken measures to reduce this risk so that it is no longer a high risk, you do not need to consult the ICO.
A DPIA can address multiple processing operations that are similar in terms of the risks, provided adequate consideration is given to the specific nature, scope, context and purposes of the processing.
You should start to assess the situations where it will be necessary to conduct one:
If the processing is wholly or partly performed by a processor, then that processor must assist you in carrying out the DPIA. It may also be appropriate to seek the views of data subjects in certain circumstances.
It is important to make sure that someone in your business, or an external data protection advisor, takes responsibility for data protection compliance.
You may need to appoint a DPO. Any business can appoint a DPO but you must do so if you:
You may find it useful to designate a DPO on a voluntary basis even when the GDPR does not require you to.
The DPO should work independently, report to the highest management level and have adequate resources to enable your organisation to meet its GDPR obligations.
The DPO’s minimum tasks are to:
You should make sure that decision makers and key people in your business are aware of the requirements under the GDPR.
Decision makers and key people should lead by example, demonstrating accountability for compliance with the GDPR and promoting a positive culture, within your business, for data protection.
They should take the lead when assessing any impacts to your business and encourage a privacy by design approach.
They should help to drive awareness amongst all staff regarding the importance of exercising good data protection practices.
You should process personal data in a manner that ensures appropriate security. Before you can decide what level of security is right for you, you need to assess the risks to the personal data you hold and choose security measures that are appropriate to your needs.
Keeping your IT systems safe and secure can be a complex task and does require time, resource and (potentially) specialist expertise.
If you are processing personal data within your IT system(s) you need to recognise the risks involved and take appropriate technical and organisational measures to secure the data.
The measures you put in place should fit your business’s needs. They don’t necessarily have to be expensive or onerous. They may even be free or already available within the IT systems you currently have.
A good starting point is to establish and implement a robust Information Security policy which details your approach to information security, the technical and organisational measures that you will be implementing and the roles and responsibilities staff have in relation to keeping information secure.
The GDPR introduces a duty on all organisations to report certain types of personal data breaches to the ICO and, in some cases, to the individuals affected.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
You have to notify the ICO of a breach unless it is unlikely to result in a risk to the rights and freedoms of individuals. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly and without undue delay.
In all cases you must maintain records of personal data breaches, whether or not they are notifiable to the ICO.
You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. The GDPR recognises that it will not always be possible to investigate a breach fully within that time-period and allows you to provide additional information in phases, so long as this is done without undue further delay You should make sure that your staff understand what constitutes a personal data breach, and that this is more than a loss of personal data.
You should ensure that you have an internal breach reporting procedure in place. This will facilitate decision-making about whether you need to notify the ICO or affected individuals.
In light of the tight timescales for reporting a breach - it is important that you have robust breach detection, investigation and internal reporting procedures in place.
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations.
These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
You may only transfer personal data outside of the EU if you comply with the conditions for transfer set out in Chapter V of the GDPR.
You should organise an information audit across your business or within particular areas. One person with in-depth knowledge of your working practices may be able to do this.
This will identify the data that you process and how it flows into, through and out of your business, for example to any agreed sub processors or back to the controller.
Remember, an information flow can include a transfer of information from one location to another. For example, the information may stay within your business yet a transfer takes place because the department or other office is located elsewhere (off site).
Having audited your information, you should then be able to identify any risks.
Once you have completed your information audit, you should document your findings, for example in an information asset register.
Doing this will also help you to comply with the GDPR’s accountability principle, which requires you to show how you comply with the GDPR principles, for example by having effective procedures and guidance for staff.
You must record:
If you have less than 250 employees you only need to keep these records for processing activities that:
You may be required to make these records available to the ICO on request.
The GDPR requires you to show how you comply with the principles.
A policy helps you address data protection in a consistent manner and demonstrate accountability under the GDPR. This can be a standalone policy statement or part of a general staff policy.
The policy should clearly set out your approach to data protection together with responsibilities for implementing the policy and monitoring compliance.
You should make sure that management approved the policy and that you publish and communicate it to all staff. You should also review and update it at planned intervals or when required to ensure it remains relevant.
It is important to make sure that someone in your business, or an external data protection advisor, takes responsibility for data protection compliance.
You may need to appoint a DPO. Any business can appoint a DPO but you must do so if you:
You may find it useful to voluntarily designate a DPO even when the GDPR does not require you to.
The DPO should work independently, report to the highest management level and have adequate resources to enable your organisation to meet its GDPR obligations.
The DPO’s minimum tasks are to:
You should document the internal analysis you carried out to determine whether or not to appoint a DPO unless it is obvious that your business is not required to designate one.
You should make sure that decision makers and key people in your business are aware of the requirements under the GDPR.
Decision makers and key people should lead by example, demonstrating accountability for compliance with the GDPR and promoting a positive culture within your business for data protection.
They should take the lead when assessing any impacts to your business and encourage a privacy by design approach.
They should help to drive awareness amongst all staff about the importance of exercising good data protection practices.
You should set out how you manage information risk.
This task could be driven by the controller you are providing services for and you should ensure you work with them so that all information risks you identify are fed back on a regular basis.
You need to have a senior staff member with responsibility for managing information risks, coordinating procedures that mitigate them and logging and risk assessing information assets.
You should have appropriate action plans in place to mitigate any risks you have identified that are not tolerated or terminated.
Before the start of a new contract with you, the controller should complete a Data Protection Impact Assessment (where the circumstances require one to be completed). As processor you should be ready to provide your input to this assessment and work with the controller to mitigate any risks identified. Having an established information risk management framework in place will assist you to do this effectively.
Under the GDPR, processors have a general obligation to implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities. This is referred to as data protection by design and by default.
You should adopt internal policies and implement measures which help your business comply with the data protection principles – this could include data minimisation, pseudonymisation and transparency measures.
You should brief all staff handling personal data on their data protection responsibilities. It is good practice to provide awareness training on or shortly after appointment with updates at regular intervals or when required.
Consider specialist training for staff with specific duties, such as information security and database management and marketing.
Regularly communicating your key messages is equally important to help reinforce training and maintain awareness (for example intranet articles, circulars, team briefings and posters).
When processing personal data, you must have a written contract in place between you and the controller, or another legal act must apply.
The contract is important so that both parties understand their responsibilities and liabilities.
The GDPR sets out what you need to include in the contract, including the requirement only to act on the written instructions of the controller.
Although the controller is ultimately liable for overall compliance with the GDPR and for demonstrating that compliance, as processor you have some direct responsibilities and liabilities of your own.
If you fail to meet any of these obligations, or act outside or against the instructions of the controller, you may be liable to pay damages in legal proceedings, or be subject to fines or other penalties or corrective measures.
In the future, you may wish to consider looking at approved codes of conduct or certification schemes to help you and the controller to demonstrate your suitability as a data processor. However, they are not yet available.
Standard contractual clauses may be provided by the European Commission or the ICO, and may form part of such a code or scheme. However, they are not yet available.
You may only engage another processor (sub-processor) if you have the prior written authorisation of the data controller.
You must put in place a contract with the sub-processor (or other legal act) that imposes specific obligations on the sub-processor.
As processor you remain liable to the controller for the performance of the sub-processor’s obligations.
The prior authorisation to use a sub-processor may be specific or general. However, if general, then you must tell the controller in advance of any changes you intend to make regarding the addition or replacement of other processors, so that the controller has the opportunity to object.
Under the GDPR, if your business is located outside the EU, and you offer products and services to citizens in the EU, then there is a requirement for you to appoint (in writing) a representative within the European Union.
You may only transfer personal data outside the EU in compliance with the conditions for transfer set out in Chapter V of the GDPR.
The GDPR introduces a duty on all processors to inform controllers of a personal data breach “without undue delay” after becoming aware of it. It is therefore important that you have internal and external breach identification and reporting procedures in place.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
You should make sure that your staff understand what constitutes a personal data breach, and that this is more than a loss of personal data.
Individuals have the right to obtain:
You should have robust procedures in place and assign responsibility within your business to recognise and deal with these types of requests in a timely manner, regardless of whether they are sent to you or to the controller.
If you have identified and documented all the data you process it will make it easier to locate and retrieve specific information as requested by the controller. Information must be provided to the requester by the controller without delay and at the latest within one month of receipt of the request, extended by a further two months for complex or numerous requests (in which case the individual must be informed and given an explanation). See our guidance for more information on how to calculate the due date for a response.
If the request is made electronically, you may be required by the controller to send them the information in a commonly used electronic format.
You should set out timescales for your response to a request for an individual’s information within the written contract with the data controller.
Individuals have the right to have personal data rectified if it is inaccurate or incomplete.
You should have processes in place to enable you to respond to a request from a controller to rectify inaccurate data within one month of the request.
It is good practice to place a note on any record to indicate that the accuracy of the information is under dispute and why.
If you have disclosed this personal data to others, you must contact each recipient and inform them of the restriction on the processing of the personal data -unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individuals about these recipients.
You should regularly review the information you process or store on behalf of a controller to identify when you need to do things, eg correct inaccurate records. Records management policies, with rules for creating and keeping records (including emails) can help.
Conducting regular data quality reviews of systems and manual records will help you ensure the information continues to be adequate for the purposes of processing under your written contract with the controller.
You should also ensure that you complete regular data quality checks to provide assurances on the accuracy of the data your staff are inputting.
If you identify any data accuracy issues, you should communicate lessons learned to staff through ongoing awareness campaigns and internal training.
See the guidance on our website for more information on how to respond to these types of requests.
Individuals have the right to be forgotten and can request the controller (and therefore you also as processor) erase their personal data when:
You should pay special attention if there are existing situations where a child has given consent to processing and they later request erasure of the data (regardless of age at the time of the request) especially on social networking sites and internet forums. This is because a child may not have been fully aware of the risks involved in the processing at the time of consent.
These requests will be received initially by the controller. However, if you also process and store this data, then you need to have appropriate procedures in place to ensure you erase it permanently, and within one month of receipt.
You should have standard contract clauses covering erasure, data retention and disposal. You should ensure that these conditions are met. A written retention policy will remind you when to dispose of various categories of data, and help you plan for its secure disposal.
See the guidance on our website for more information on how to respond to these types of requests.
Individuals have a right to block or restrict the processing of their personal data.
When processing is restricted, you are permitted to store the personal data, but not process it further.
You can retain just enough information about the individual to ensure that you respect the restriction in the future.
A controller may request that as their processor you restrict the processing of personal data if:
You should action these requests within one month of receipt. See our guidance for further information relating to responding to these types of requests.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
They can receive personal data or move, copy or transfer that data from one business to another in a safe and secure way, without hindrance.
The right to data portability only applies:
You must provide information without delay and at least within one month of receipt. Your controller may receive such a request and so you should be able to supply them with any applicable data you process on their behalf to enable them to fulfill the request.
You must provide the personal data in a structured, commonly used and machine readable format. Examples of appropriate formats include CSV and XML files.
If the individual (and so the controller) requests it, you may be required to transmit the data directly to another business where this is technically feasible.
See ICO guidance for further information relating to responding to these types of requests.
You should process personal data in a way that ensures appropriate security.
Before you can decide what level of security is right for you, you need to assess the risks to the personal data you hold and choose security measures that are appropriate to your needs.
Keeping your IT systems safe and secure can be a complex task and does require time, resource and (potentially) specialist expertise.
If you are processing personal data within your IT system(s) you need to recognise the risks involved and take appropriate technical measures to secure the data.
The measures you put in place should fit your business’s needs. They don’t necessarily have to be expensive or onerous. They may even be free or already available within the IT systems you currently have.
A good starting point is to establish and implement a robust Information Security policy which details your approach to information security, the technical and organisational measures you will be implementing and the roles and responsibilities staff have to keeping information secure.