This is the 2nd blog in our series – our first blog addressed the basic definitions and in this blog we will look at the core principles of GDPR and how these may affect your processes. We will touch on Privacy Notices and Data Audits in here too.
So lets get started! GDPR has 6 core principles which are:
Lawfulness, fairness and transparency principle
Purpose limitation principle
Data minimisation principle
Storage limitation principle
Integrity and confidentiality principle. We will go through each of these in turn, letting you know what they mean and how they affect personal data processing.
1. Lawfulness, fairness and transparency principle
This states that personal data must be processed “lawfully, fairly and in a transparent manner.” You have to let your data subjects know exactly what you are going to do with their personal data once you have collected it. This includes how long you are going to hold it for, what you are going to use it for and what their rights are. You can set out these purposes in a Privacy Notice.
Identity and contact details of Data Controller
Purposes and legal basis for processing
If legal basis is “legitimate interests” what are they? – we will cover this in a later blog
Recipients or categories of recipients of the data – are you sending it to anyone else? Referrers etc?
Any cross-border transfers and on what basis they are made.
How long will the data be held for – data retention periods
Outline the rights of a data subject – this is just a generic paragraph covering their rights (we will talk about data subject rights in a later blog too)
Whether a statutory or contractual requirement to process exists
The existence of automated decision making and logic involved.
2. Purpose limitation principle
This principle states that personal data shall be “collected for specified, explicit and legitimate purposes.” This means that you should only use the data for the purpose you have specified at the time of collection. If you collect the data for treatment, don’t start spamming clients with marketing.
3. Data minimisation principle
“Data should be adequate, relevant and limited to what is necessary.” Don’t collect any more data than you require for the reason which you are collecting the data. We all get asked for extra info that is not necessary or essential for places to carry out the task we are asking. For example, when you get asked for your email address at the sales desk in a shop, they do not need that information to process the sale. You can always go back and ask for additional information for your clients if you need it.
4. Accuracy principle
You need to ensure that the personal data you hold is kept up to date and accurate. You should ensure reasonable steps are taken to ensure this is the case. You will already have processes in place to ensure your data is kept up to date, but ensure this process is noted down and followed by everyone.
4. Storage limitation principle
You can only hold personal data for “no longer than is necessary”. You must have a justifiable reason to hold on to personal data. Clinic owners have legal record keeping timeframes, 8 years, for keeping certain aspects of their client records. These legal rights will cover you when it comes to this principle. If you wish to hold on to the personal data for longer than the legal requirements you must have a justifiable reason to do so and include it clearly in your privacy notice.
6. Integrity and Confidentiality principle
This principle covers the security of the personal data. It states that personal data must be protected against “unauthorised or unlawful processing and against accidental loss, destruction or damage.” It is advised that clinics should take a layered approach to security – using both technology and human aspects. Ensure you have all the data backed up securely, access to sensitive files are restricted and have adequate technological barriers such as firewalls etc. Also ensure ALL of your staff are sufficiently trained on data security and ensure training is frequently refreshed.
The ICO state that you are only expected to do what is reasonable for your clinic to protect the personal data. You should consider the following and make take appropriate action:
Cost of implementing security
Nature, scope and context of your personal data
Harm it may cause as a result of improper use, accidental loss or destruction
Looking at all the principles above and how they will affect your data processing in your clinic is the beginning of your data audit. Carrying out a data audit will help you find out all the types of personal data you hold, where it is all stored and why you have it. It will also aid in identifying any vulnerabilities in your compliance. So how to do a data audit: You need to look at each set of personal data you hold in your clinic and answer the below questions about it:
What personal data do you hold?
Why do you have it?
Is it all necessary?
Is there any data that may be out of date or inaccurate?
How long do you store it for?
Where is it stored?
Who has access to it?
Are you a controller or a processor of this data?
Document all the different types and categories of data you hold, with the answer to each question against each type of data. Using something like a spreadsheet is ideal (and recommended, that’s what we have used) for this as it can then act as a central point of reference. It will also become part of an audit trail, showing that you have carried out the data audit task, should you ever need to answer any questions about it.
This task may seem daunting but once you have completed it once, you will only have to refresh it when something changes. So why not start your data audit now and begin your compliance journey?