Who Does it Apply to?

The UK GDPR applies to UK businesses and organizations and International businesses and organizations who collect and process personal data of UK citizens.

Personal Data

Personal data is defined as any information or identifiers that enables an individual to be identified either directly or in combination with other data that relates to the individual. Examples of identifiers are name, location data, ID number and online identifier (including IP address and cookies identifiers).

Principles

The Principles for the UK GDPR are the same as those for the GDPR. There are 7 of them:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

For further information on these principles see our article "The Seven Key Principles of GDPR"

Key Areas of Change in UK GDPR

There are a few key areas where changes have had an impact on data transfer between the UK and the EEA (European Economic Area) since Brexit. These are:

• International Data Transfers
• EU representatives
• EU regulatory oversight
• other minor updates

International Data Transfers

If your UK business or organization transfers personal data to or from other countries, including those in the EEA, you can transfer that data as long as it is covered by one of the following:

• an adequacy regulation: this was previously known as an adequacy decision under GDPR. It is a decision made by the UK government in relation to transferring personal data to third countries and international organizations.
• an appropriate safeguard: the appropriate safeguards are the above mentioned adequacy decision, the provision allowing the continued use of SCC's (EU Standard Contractual Clauses) and thirdly certain binding corporate rules
• an exception: if you make a personal data transfer that is not covered by either the adequacy regulation or an appropriate safeguard then it must be covered by an exception. The exceptions are: valid consent given by the individual, a valid contract with this individual that requires a transfer in order to enter the contract, a contract with an individual that benefits another individual whose data is being transferred and is necessary in entering or performing the contract, the transfer is being made in public interest, establishing a legal claim, protecting the vital interests of an individual who is physically or legally incapable of giving consent, the transfer is from a public register, or a its a one time only transfer that is in your compelling legitimate interests.

EU Representatives

If you are a UK based controller or processor and you have no offices, branches or establishments in the EEA,and you are offering goods and services to individuals or monitoring the behaviour of individuals in the EEA you will need to consider appointing an European representative.

Your representative needs to be located in the EEA and be able to represent you with regards to any obligations under EU GDPR. This can be done using a service contract with a law firm, consultancy or private company.

There is no need to appoint an European representative if the processing of personal data is only occasional and is low risk, does not involve large scale processing of special category or criminal offense data.

EU Regulatory Oversight

If you are a UK based organization who's data processing includes cross border processing or if you are "targeting" EEA or EU individuals then you will also need to comply with then there are a number four scenarios which may apply to you. See the ICO's EU Regulatory Oversight page for details.

Other Minor Updates

If you are a UK business or organization that processes personal data and is subject to the EU GDPR then the following may apply:

Privacy Policies

Ensure your current privacy policy reflects any changes to intentional transfers, that your conditions for processing personal data are still valid and in current terminology and if you are required to have an EU representative you identify them in your policy.

Rights of Data Subjects

The UK GDPR applies to the processing of personal data regardless of where the individuals who's data you are processing reside.

Documentation

If your organization transfers data internationally, you may need to review the information that is required in your record of processing activities.

Data Protection Officers (DPO's)

If you were required to have a DPO prior to the exit date, then you will continue to require a DPO. You may choose to use one DPO to cover both the EEA and UK or one for each.

Conclusion

The UK GDPR is very similar to the EU GDPR, with one major difference. The framework is now controlled by the UK government instead of the EU.

There have been very few changes made to the laws, with some changes in international data transfers, EU representatives, EU regulatory oversight and a few other minor updates.

The UK GDPR now sits alongside the Data Protection Act (DPA) 2018 as the United Kingdoms personal data processing laws.

The post What is the UK GDPR? appeared first on PrivacyTerms.io.

A Data Protection Policy is a policy that outlines how a company uses, manages, secures and protects their data. It's main objective is to ensure the security of the data it handles and maintains. The policy contains information on what kind of data you collect and store, how your company handles this data, it's processing and any breaches in security.

The Difference Between a Data Protection Policy and a Privacy Policy

A Data Protection Policy is an internal policy for the handling corporate data so employees are aware of and can follow best practices. Where as a Privacy Policy is a policy for your users which outlines how you collect, use, manage and store their personal data. The Privacy Policy is placed on your website, the Data Protection Policy is not.

Do I Need a Data Protection Policy?

Before we answer this question, it's imperative to ask do you need a Data Protection Officer? as the answer to this question will determine the answer to the original question.

A Data Protection Officer (DPO) is required if:

• you are a public authority or body
• you carry out regular large scale monitoring of individuals
• your companies core activities are processing of data which is related to criminal offenses and/or convictions.

If your company requires a DPO then you will also require a Data Protection Policy so that your DPO can demonstrate compliance with GDPR principles. If you do not need to appoint a DPO then you are not required to have a Data Protection Policy in place.

Main Elements Of a Data Protection Policy

The Data Protection Policy for your company needs to include the following elements:

1. The Purpose of the policy- description of the reason for the policy and the importance it holds in the company. Consider this section as an outline of your companies vision for data privacy.
2. Definitions- defining the key terms of the policy. The GDPR encourages policies to be written in as simple, clear language as possible. This list of definitions helps people who are not familiar with terms like data subject, data controller or territorial scope for instance.
3. Scope of Data Protection-outlines the type of data your company protects and who this policy is directed towards.
4. Data Protection Methods- what safeguards the company has in place to help protect personal and sensitive data once it's collected. A guide for the individual and departments.
5. The Principles- outlining the major principles for processing personal data collected and stored by your company.
6. Data Subject Rights- List and define the eight subject rights of individuals. There should also be a statement that your company will adhere to these.
7. Roles and Responsibilities- outlining the key roles and responsibilities of staff members and the data protection and processing officer if you have one.
8. Accountability- is the compliance with and responsibility for the Data Protection Principles.
9. Legal Requirements for Data Protection- data protection principles to be followed by all staff who are handling personal data.
10. Reporting Data Breaches-ensure that your company understands what a data breach is and has a process in place to report any data breaches that require being reported.
11. Training- If your company trains staff in relation to Data Protection policies then it should be added to your policy.

1. The Purpose of the Policy

This is the introduction to the policy. It is an outline as to what the policy covers and what the purpose of it is. This section outlines the company's data privacy and protection vision.

Axiomatic have outlined clearly what and who (both their clients and employees) their Data Protection Policy covers. They have stated that the policy will cover how personal data will be processed, handled and stored.

2. Definitions

A lot of the terms in the Data Protection Policy may be unfamiliar to your staff. Terms like "data protection officer", "data subject" and even "personal data" are unfamiliar terms to those who have little or no experience with Data protection laws. Having a list of definitions of the key terms will help your staff to understand the policy.

HSE have chosen to list the definitions in the Appendix of their Data Protection Policy. They have a very comprehensive list of definitions, which is what needs to be found in a comprehensive Data Protection Policy.

3. Scope of Data Protection

The scope of the Scope of the Data Protection Policy contains information about who the policy is aimed at as well as the type of data the company is referring to.

Solvay have clearly stated that the terms of their policy are aimed at agents and contractors that handle and process personal information on their behalf. The also state what personal information the policy is related to. This is a great example of a well written scope in a Data Protection Policy.

4. Data Protection Methods

What Data Protection methods does your company employee to safeguard the personal information it handles? The Data Protection or Data Security section of the Data Protection Policy is where the companies security measures are listed. What procedures does your staff need to follow as well as what data protection have you got in place?

As you can see in the above example taken from the Data Security section in the Hope Learning Trust York Data Protection Policy, they have clearly listed what procedures their staff need to follow, including banning of the use of personal devices. The policy is written clearly and concisely as recommended by the GDPR.

5. The Principles

The GDPR set out a set of Data Protection Principles that your company needs to comply with. The Principles section of the Data Protection Policy is where you set out the principles before explaining how your company implements them.

The NHS lists the GDPR principles that it's Data Protection Policy follows, so they are compliant with the GDPR.

6. Data Subject Rights

The Data subject is your customers, clients and/or users. In this section of the Data Protection Policy the rights of the subject needs to be listed to comply with the GDPR.

Daimler have listed each of the data subject rights that are necessary to be GDPR compliant. It is clear what the rights of their customers are and what action is required in each situation.

7. Roles and Responsibilities

The roles and responsibilities section outlines what the roles and responsibilities of staff members and the Data Protection and Privacy Officer (if you have one) are.

In the above example, Solvay clearly state that all employees have a responsibility to assist in the protection of Personal Information. Solvay do have a Data protection and Privacy Office, and this section states what their responsibilities are. They have included what actions may be taken should their employees not comply with this.

8. Accountability

The accountability section of the Data Protection Policy outlines that the company must be responsible for and compliant with the Data Protection Principles.

As you can see in the above example, from The University College of Cork's Data Protection Policy, they have a data controller. Their policy lists what the data controller is accountable for in order to comply with the GDPR.

9. Legal Requirements for Data Protection

Under the GDPR their are six legal requirements for data protection. These requirements should be included in your Data Protection Policy along with any additional company requirements.

The above example from IGI is a good example of what this section of your Data Protection Policy should read like. They have listed the six lawful bases for processing personal data to be compliant with the GDPR. They have then added how these bases are to be incorporated into the processing of their subjects personal data.

10. Reporting Data Breaches

What is a data breach?

A personal data breach is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data".

It is crucial that your company has a data breach policy in place so that you can report it as quickly as possible.

However not all data breaches require reporting. There are a few points you need to consider before you report the breach:

• does the breach pose a risk to people?
• does the breach pose a risk to peoples rights and freedom?

If there is a likely risk then you need to contact ICO and if the risk is unlikely then you do not.

For a risk assessment check you can take the self assessment questionnaire on the ICO website.

As you can see from the example above The University of Sussex has a comprehensive Reporting Data Breaches section in their Data Protection Policy. They define what a breach is and outline the steps that are to be taken if one occurs.

11. Training

Should your company implement training on data protection then this should be added to your Data Protection Policy. Training is advisable to ensure staff are fully aware of what is required from them and how important the protection of your customers personal data is.

The University of Birmingham requires all of their staff to complete a training course in data protection and this is written into their Data Protection Policy as shown above.

In Conclusion

The main sections to be included in your Data Protection Policy are:

• The Purpose of the Policy
• Definitions
• Scope of Data Protection
• Data Protection Methods
• The Principles
• Data Subject Rights
• Roles and Responsibilities
• Accountability
• Legal Requirements for Data Protection
• Reporting Data Breaches
• Training

A Data Protection Policy outlines the way in which your company uses, manages, secures and protects their data.

The Data Protection Policy is different from a Privacy Policy. The Protection Policy is an internal policy meant for the staff and DPO of your company. A Privacy Policy is an external policy outlining how your customers and/or users personal data is collected, used and stored by your company.

If your company or organization is required to hire a DPO then you also require a Data Protection Policy to help your DPO show that they can demonstrate compliance with GDPR.

For a comprehensive Data Protection Policy, we recommend using our privacy policy generator.

The post Data Protection Policy - What is it? appeared first on PrivacyTerms.io.

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

These principles are set out at the very beginning of the legislation and are the building blocks for the rest of it. They are what your Privacy Policy needs to be based on in order to ensure it is GDPR compliant. Let's take a look in a little more depth at each of these key principles.

1. Lawfulness, Fairness and Transparency

According to the GDPR “Personal data shall be:

"processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency’)”

Article 5.1(a) GDPR

You need to ensure you satisfy all three elements of this principle; lawfulness, fairness and transparency.

Lawfulness

What is meant by lawfulness in relation to the GDPR?

In order to satisfy the lawfulness aspect of this principle you must identify grounds for the processing of any personal data. There are 6 lawful basis's for processing personal data and at least one of these must be applicable when processing personal data. They are:

1. Consent: you have been given consent by the individual to process their personal data.
2. Contract: there is a contract in place with the individual and processing their personal data is necessary to fulfill this contract, or you have been instructed by the individual to process their data prior to entering into the contract.
3. Legal obligation: you must process the information in order to comply with the law.
4. Vital interests: you must process the personal data in order to protect an individuals life.
5. Public task: processing the personal data of an individual is a necessary component in performing a task in the public interest or for official functions of your company. This task must have a clear legal basis.
6. Legitimate interests: the processing of personal data is required in the legitimate interests of yours or a third parties, unless there is a reason to protect the individual, which overrides these interests.

Fairness

Fairness in relation to the GDPR means that you should only be processing and handling personal data in ways that the individual would expect. There should be no negative effects on the individual through your processing their personal data.

Another aspect of fairness is the way in which the information has been obtained from the individual. You must ensure that the individual is aware of why and how their personal data is being collected. If you have obtained the personal data through unjust means then this is unlikely to comply with the fairness aspect of this principle.

Transparency

What is meant by transparency in GDPR?

Being transparent means that you are being open, honest and clear about how you collect, use and manage individuals personal data. You must ensure you make this information easily accessible for your users as well as being written in clear and easily understood language. This information is part of your Privacy Policy which needs to be placed in an obvious place on your website in order for your users to see and read it.

To comply with the lawfulness, fairness and transparency principle you must:

1. identify a lawful reason for processing
2. identify a condition for processing either special category or criminal offense data
3. only use the personal data for lawful purposes
4. consider how the processing of personal data will impact the people who's data it is and be able to justify it if there is any negative impact on them
5. process personal data in expected ways or be able to explain why you are processing it for other reasons
6. are not deceptive or misleading in your collection of personal data
7. open and honest about the collection and use of personal data

2. Purpose Limitation

According to the second key principle of the GDPR "Personal data shall be:

"collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);"

Article 5.1(b) GDPR

What this essentially means is that you must be clear about why you collect your users personal data and how you use it and if you use the personal data for another reason than originally specified, that it''s use is fair, lawful and transparent.

To ensure you are complying with the purpose limitation principle you will need to:

1. identify the purpose for processing
2. document the purpose
3. include details of reason for collecting personal data in your privacy policy
4. ensure that any personal data you plan to use for a new purpose is either compatible with the original purpose or make sure you get consent for the new purpose.

3. Data Minimization

The third key principle of the GDPR is data minimization. According to this principle, "personal data shall be":

"adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);"

Article 5.1(c)

This means that you must collect the least amount of personal data to fulfill the purpose it is intended for. Holding more data than is required is unlawful and a breach of the data minimization principle.

To make sure you are complying with the data minimization principle you will need to:

1. collect personal data only when it is needed for a specific purpose
2. have only enough personal data to fulfill the purpose
3. review the data from time to time and delete any unnecessary data

4. Accuracy

The fourth key principle of the GDPR is accuracy. The accuracy principle states that "personal data shall be":

"accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);"

Article 5.1.(d) GDPR

The accuracy principle requires that you ensure the accuracy of any personal data you collect (within reason) and that this data remains valid and fit for purpose.

In order to comply with the accuracy principle you will need to:

1. ensure the accuracy of any personal data collected
2. update the data as required
3. keep records of any mistakes
4. comply with the right to rectification

5. Storage Limitation

The storage limitation principle is the fifth key principle of the GDPR. According to the storage limitation principle "personal data shall be":

"kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);"

Article 5.1.(e) GDPR

The fifth key principle means that you cannot hold data for longer than is required and you must be able to justify the reason for storing the data.

Personal data may be held for longer periods of time if you are keeping it for one of these reasons:

• public interest archiving
• scientific or historical research
• statistical purposes.

In order to comply with the storage limitation principle you will need to ensure that you:

1. know what personal data you hold
2. know why you hold this data
3. be able to justify the length of time you retain personal data
4. erase or make anonymous any personal data that is no longer required
5. have a process in place for requests to have personal data erased

6. Integrity and Confidentiality (security)

The sixth key principle in the GDPR is the Integrity and Confidentiality Principle, also known as the Security Principle. According to this principle, "personal data shall be":

"processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’)."

Article 5.1.(f) GDPR

To ensure you are complying with the Integrity and Confidentiality Principle you need to:

1. determine the level of security that is required. This will depend on the type and amount of personal information being processed
2. you have a security policy and ensure that you follow it
3. have basic technical controls in place to reduce cyber attacks
4. use encryption when appropriate
5. understand the confidentiality, integrity and availability of the personal data you collect and process
6. ensure there is an appropriate back up process in place in the event that personal data is lost
7. conduct regular reviews of the security measures in place to ensure their efficacy and make adjustments to your procedures as required

7. Accountability

The accountability principle is the seventh key principle in the GDPR. According to Article 5.2 of the GDPR:

"The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)."

Article 5.2 GDPR

There are two key points in the accountability principle and these are that you must be responsible and comply with the GDPR and you are required to demonstrate how you comply.

To demonstrate your compliance you will need to:

1. keep evidence of how you comply with the GDPR
2. ensure your Privacy Policy is GDPR compliant
3. have a data protection policy in place if applicable
4. use a data protection by design approach- implementing the best data protection methods throughout your processing operations
5. implement the appropriate security measures
6. record and report any personal data breaches if they occur
7. appoint a data protection officer if required

To ensure your business is GDPR compliant you are required to follow the above seven key principles and adhere to them as much as possible. We have provided you with what is required in order to be compliant with each of the principles. To ensure your Privacy Policy is compliant with the GDPR you can download our Professional Privacy Policy.

The post The 7 Key Principles of GDPR appeared first on PrivacyTerms.io.

The exact content of your websites Privacy Policy will be determined by the type of business you are running. However all Privacy Policies do require these things in order to be GDPR compliant: an outline of what personal data your company collects, why you collect that data, who the data may be shared with, where it is stored, and how it is kept protected. It must also ensure that users are made aware of all of their rights when it comes to their personal data.

What is a Privacy Policy?

A Privacy policy is a legal document. It is an agreement between you and your user hat outlines what data you collect from them, and how and why you collect their personal data. It also explains where and how the data is stored and what security measures you have in place to protect the data.

There are international privacy laws that your privacy policy should comply with. For further information read on international laws, read our article: International privacy laws

What to Include in a GDPR compliant Privacy Policy

To understand what is required in a GDPR compliant privacy policy you need to know what GDPR is. GDPR stands for the General Data Protection regulation which the EU put in place to protect the rights of its residents and citizens and their personal data. It is a law For an in depth look into the GDPR read our article GDPR Compliance and Checklist.

Here is a list of the sections and clauses that your GDPR Privacy Policy need to include:

• Table of Contents
• Data Collection
• Personally Identifying Information'
• Non-Personally Identifying Information
• Cookie Policy
• Data Protection Rights (Under GDPR)
• Data Protection Fee
• Policy Changes
• Contact Information
• How to Contact Data Controller
• How to Contact Data Protection Officer

Table of Contents

Data Collection

A clear explanation of what kind of data will be collected from the user is a must in order to be GDPR compliant. It is also required that you include how the data is collected, where the data is stored and processed and how long the data is retained. Another aspect of data collection to include is the security measures you have implemented to protect your users personal data.

Personally Identifying Information

Your Privacy Policy needs to explain what Personally Identifying Information (PII) is. Let your users know what types of PII your company/website collects (example: Full name, Street Address, birthdate). It is also required for you to explain:

• how the information collected is used
• whether the information may be disclosed to third parties
• and if so who, how the user can opt in or opt out of personal information collection
• how they can update, restrict or delete their personal information
• how they can request erasure of their personal information.

Non Personally Identifying Information

Your company/website may also collect Non Personally Identifying Information like education status, geo location or IP address. A Privacy Policy needs to contain information about what type of Non-Personally Identifying Information you collect and how you may use this information also.

Cookies

Your Privacy Policy should have a section explaining Cookies. What is a cookie? and how does it enables certain functions on your website? What types of cookies does your website use and what are they used for? and how can your users opt out of them if they wish?

Your Data Protection Rights

In alignment with the GDPR, see our article on it here, you must outline the data protection rights of your users/customers.

The rights are as follows:

• to be informed: Your users have the right to be know about how you collect and use their personal data. This is a major requirement under the GDPR to promote transparency. Users must be provided information of Privacy at the time their personal data is collected.
• of access: Your users have the right to access their data at any time, they can request this either verbally or through writing to you. You have a one month time period in which you must respond to the request.
• rectification: Users of your website have the right to have any inaccuracies in their personal data changed. This can be done through a verbal or written request and you have one calendar month in which to respond.
• to be forgotten: Under the GDPR users have the right to have their personal data erased. This right can also be known as the right to erasure. Once again users can make this request either verbally or through writing and you have a month is which to respond to the request.
• restrict processing: users have the right to request that you do not process their personal data. The can make this request either verbally or in writing and you need to respond within one calendar month. However the right to have personal data restricted only applies in certain circumstances.
• object to processing: Your users have the right to object to their personal data being used for the purpose of direct marketing. They can also request that you stop processing their personal data and there are some circumstances in which this applies. These circumstances are if the processing is for :" a task carried out in the public interest; the exercise is of official authority vested in you; or your legitimate interests (or those of a third party)."
• data portability: this right allows your users to have access to their personal data so they can use it for their own purposes. They can move this data from one IT environment to another safely and securely.
• to object to automated processing: Your users are able to object to the processing of their personal data that is processed without human involvement by automated means.

Data Processing Fee

You must let your users/customers know if there may be a processing fee for any of their requests involving their data. In most cases a fee won't apply but you must inform them of the chance there may be one.

Contact details

You must put the company contact details in your privacy policy statement in order for your users to be able to contact you easily.

How to contact the data controller

Under the GDPR you must have contact details for the data controller officer (if you have one) made available in your Privacy Policy.

How to Contact data protection officer

Contact detail for the data protection officer (if you have one) are to be made available in your privacy policy under the GDPR.

The post What to Include in a GDPR Privacy Policy appeared first on PrivacyTerms.io.