< Back to Blog
Original link:

2023-12-23 15:19:50

GDPR Training by Aim - Module 4 - Principles

video content Image generated by Wilowrid

welcome to Module four principles .

The GDPR is built upon a set of principles which govern the way organisations should manage personal data .

At the end of this module , you will have a basic understanding of the six data protection principles how the principles are applied to the processing of personal data .

Here's a scenario .

A former employee of the House of lemons , importer of fine oranges , makes a subject access request for all records and correspondence regarding a disciplinary action from 2015 .

However , House of Lemons failed to provide all the data held .

So the employee complains to the Information Commissioner's office who write to house of lemons , requesting they provide evidence to show how they apply the GDPR principles .

video content Image generated by Wilowrid

The house of lemons must demonstrate that they adhere to the following six principles .

One lawfulness , fairness and transparency data should be processed lawfully , fairly and in a transparent manner .

In relation to individuals .

The data controller should define a legal basis for the data they process and communicate openly with data subjects about data processing activities , for example , the collection of data , how it's stored and what it's used for by issuing a privacy notice to data subjects .

The transparency principle requires data controllers to provide information about the personal data they process in an intelligible and easily accessible form .

Clear and plain language .

Concise communication .

video content Image generated by Wilowrid

A privacy notice is a statement to the data subject , which describes how the organisation collects , uses , retains and discloses personal data .

This can be a physical notice or a link to a Web page .

Two purpose limitation data can only be collected and processed for a defined , explicit and legitimate purpose and should not be used for processing , which falls outside the stated purpose .

Data controllers must first identify the purpose for which the personal data will be processed .

This will form the boundary of what can be done with the data .

If the organisation wishes to complete processing which falls outside this boundary , they must determine if the processing is compatible with the original purpose .

Examples .

Wilowrid Advertisement
video content Image generated by Wilowrid

If you join your local leisure centre and provide demographic details which they state will only be used for statistical purposes , you should not then receive targeted communications about classes offered to your age group .

If the leisure centre provides users with an app to monitor their draining , but also used the personal data to identify and eliminate technical errors within the APP .

This could be compatible with the original purpose as it is an activity of the APP creator that could reasonably be expected by the users .

Three .

Data minimization data should be adequate , relevant and limited to what is necessary in relation to the purposes for which they are processed .

Only personal data that is needed for the defined purpose should be collected and processed .

The GDPR states that data not required for the processing is not collected .

This is known as data minimization .

Example .

video content Image generated by Wilowrid

Signing up to receive an online newsletter will require your email address but does not require you to provide your physical address or other personal details .

Accuracy data should be accurate and where necessary .

Kept up to date , every reasonable step must be taken to ensure that inaccurate data is erased or rectified without delay .

It is the responsibility of the data controller to ensure data is accurate and to action requests by data subjects to amend or remove inaccurate data .

In addition , the data controller must notify anyone else who has access to the data or processes the data that it has changed unless it requires disproportionate effort .

The third party recipients should then update their records accordingly .

If requested , the data controller must inform the data subject about any data recipients .

video content Image generated by Wilowrid

Example .

If a person informs their employer that they have married and changed their title to Mrs and their surname from Smith to Jones , their employer must change your systems , which include these details , for example , HR and payroll and inform any third parties who receive the data .

For example , HMRC and their company pension provider , five storage limitation data , should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed .

Data should be kept for the duration of the processing and , if necessary , for a period thereafter as defined by law .

Wilowrid Advertisement
video content Image generated by Wilowrid

For example , retention of payroll records for HMRC to defend a legal action for business reasons , organisations should have a data retention policy , which states how long each category of data is retained and how it will be destroyed after this period .

Example .

There are different retention periods for different data .

For example , application forms for successful job candidates should be kept for the duration of the employment and payroll and tax information .

HMRC must be kept for seven years , six years plus the current year .

Employers may wish to extend some of these , for example , if they feel they might be needed to defend a legal claim or for company records , perhaps to send a card to everyone who has worked for a company during its 100 year history .

video content Image generated by Wilowrid

Six .

Integrity and confidentiality data should be processed in a manner that ensures appropriate security of the personal data , including protection against unauthorised or unlawful processing , and against accidental loss , destruction or damage using appropriate technical or organisational measures .

The GDPR requires organisations to complete risk analysis for their systems and implement appropriate technical and organisational measures to mitigate those risks and ensure the security of the data .

Example .

A healthcare company provides their shift managers with laptops to allow them to access patient records to assist their teams during out of hours calls .

video content Image generated by Wilowrid

The company will need to ensure that the laptop is encrypted and password protected so that data cannot be accessed if the laptop is lost and in addition , they should consider the possibility of a disgruntled employee downloading patient data and disable the use of USB mass storage devices .

Note .

It is not possible to completely remove all risks , but it is essential to assess the major risks and mitigate them .

We will now ask you a short question .

Some time will be left for you to think about the answer .

However , feel free to pause the video after the question is asked to allow yourself enough time to think about the answer .

You do not need to click on the boxes to provide your answer .

The answer will be given shortly after the question has been asked .

Wilowrid Advertisement
video content Image generated by Wilowrid

If an individual wants an organisation holding their data to amend incorrect information , they must request their data is deleted and resubmit all information .

Inform the Information Commissioner's office , inform the organisation directly , or tell the organisation what systems they would like .

Updated .

The individual must inform the organisation directly .

This is the end of our module .

Four principles .

You can now move on to module five legal basis

Original video


Attention YouTube vloggers and media companies!
Are you looking for a way to reach a wider audience and get more views on your videos?
Our innovative video to text transcribing service can help you do just that.
We provide accurate transcriptions of your videos along with visual content that will help you attract new viewers and keep them engaged. Plus, our data analytics and ad campaign tools can help you monetize your content and maximize your revenue.
Let's partner up and take your video content to the next level!
Contact us today to learn more.