The UK General Data Protection Regulation (GDPR) is the main law in the UK when it comes to data protection. It was put into place in 2018 and is the UK’s version of the EU law of a similar name. The law makes some important changes from the previous Data Protection Act in how we consider consent and accountability.
Anyone who collects data (data controllers) or handles data (data processors) is impacted by the regulation. But what does it actually say?
The law sets out seven key principles for anyone collecting or processing data:
- Lawfulness, Fairness and Transparency
- Purpose Limitation
- Data Minimisation
- Storage Limitation
- Integrity and Confidentiality (Security)
Read on to find out more about how these rules affect your organisation.
1. Lawfulness, Fairness and Transparency
Each of the seven points is equally important in the eyes of the law, but fairness guides all of them. You should have clear, valid grounds for using personal data. Make sure you’re using the data for the right reasons! You can’t break any other laws or do anything that is unfair to those concerned.
2. Purpose Limitation
Even if you’ve got a valid reason to have the data, this isn’t a free pass to do what you want. You can use the data for other reasons but it is limited. They should be compatible with the original purpose or tied to a specific law. Otherwise, you need to gain further consent.
For this reason, you should always be upfront with your motives. Sometimes, your needs will change. Research and statistics are considered fair, but make sure to double-check if you have any doubts.
3. Data Minimisation
Any data you collect should be relevant to your intended purpose. Before you start, you should put work into defining the specific data you need to fulfill your task. Anything you request should be adequate, relevant and limited. This also means reviewing the data you store and deleting anything you no longer use.
You must take steps to check whether the personal data you hold is correct. This starts at the point of data collection. There may be human mistakes when collecting personal data, but you should take every measure to ensure this is as rare as possible.
This also means being willing to make changes. The data you have might become outdated, and you should have a process for updating your records. If anyone poses a challenge to the data, this should be noted. Remember: people have the legal right to rectify data that concerns them.
5. Storage Limitation
Storage limitation is about the time you keep data for. In short, you shouldn’t keep it for any longer than necessary. You should have standards for reviewing which data is still useful to avoid losing your valid reason to hold the data. One of the only exceptions is if retaining the information is in the public interest.
6. Integrity and Confidentiality (Security)
In the digital age, security is at the heart of data protection. Make sure you have strong safeguards in place before you even start collecting data. This is especially the case if you’re handling special category data but is good practice for any set of data.
Any data processors you use should be fully GDPR-compliant. Not all security is equal! The highest level of encryption is the AES 256-bit standard so you should look out for this when using any software. Also check for validation such as ISO 27001 for the software and CMMI-level 5 accreditation for the company.
When it comes to personal data, there’s no such thing as too much security. The digital age offers new opportunities to protect your data so make sure to take advantage of them. Ensure you have features like multi-factor authentication, 24/7 intrusion detection and granular access controls.
The last principle on the list says that you are responsible for any data you collect. This means you should take reasonable measures to look after it. These can include the security measures detailed above as well as reasonable compliance measures.
The GDPR values good processes as much as it values perfect results. Make sure you’re doing everything you can to demonstrate compliance with the law. If there are any breaches of the GDPR, we have also written about the next steps you should take!
A Board Portal like Convene can help you ensure the integrity of any data you collect. Our all-in-one meeting solution is fully GDPR-compliant and designed to the highest level of security. With a full suite of tools like an agenda builder, live voting and autogenerated meeting minutes, you can streamline your compliance processes. Convene is now also available fully integrated with Microsoft Teams so your whole organisation can benefit from a full audit trail of their formal meetings and business processes. Check out our customer success stories or book a free trial today.