GDPR Training by Aim - Module 4 - Principles

welcome to Module four principles .

The GDPR is built upon a set of principles which govern the way organisations should manage personal data .

At the end of this module , you will have a basic understanding of the six data protection principles how the principles are applied to the processing of personal data .

Here's a scenario .

A former employee of the House of lemons , importer of fine oranges , makes a subject access request for all records and correspondence regarding a disciplinary action from 2015 .

However , House of Lemons failed to provide all the data held .

So the employee complains to the Information Commissioner's office who write to house of lemons , requesting they provide evidence to show how they apply the GDPR principles .

The house of lemons must demonstrate that they adhere to the following six principles .

One lawfulness , fairness and transparency data should be processed lawfully , fairly and in a transparent manner .

In relation to individuals .

The data controller should define a legal basis for the data they process and communicate openly with data subjects about data processing activities , for example , the collection of data , how it's stored and what it's used for by issuing a privacy notice to data subjects .

The transparency principle requires data controllers to provide information about the personal data they process in an intelligible and easily accessible form .

Clear and plain language .

Concise communication .

A privacy notice is a statement to the data subject , which describes how the organisation collects , uses , retains and discloses personal data .

This can be a physical notice or a link to a Web page .

Two purpose limitation data can only be collected and processed for a defined , explicit and legitimate purpose and should not be used for processing , which falls outside the stated purpose .

Data controllers must first identify the purpose for which the personal data will be processed .

This will form the boundary of what can be done with the data .

If the organisation wishes to complete processing which falls outside this boundary , they must determine if the processing is compatible with the original purpose .

Examples .

If you join your local leisure centre and provide demographic details which they state will only be used for statistical purposes , you should not then receive targeted communications about classes offered to your age group .

If the leisure centre provides users with an app to monitor their draining , but also used the personal data to identify and eliminate technical errors within the APP .

This could be compatible with the original purpose as it is an activity of the APP creator that could reasonably be expected by the users .

Three .

Data minimization data should be adequate , relevant and limited to what is necessary in relation to the purposes for which they are processed .

Only personal data that is needed for the defined purpose should be collected and processed .

The GDPR states that data not required for the processing is not collected .

This is known as data minimization .

Example .

Signing up to receive an online newsletter will require your email address but does not require you to provide your physical address or other personal details .

Accuracy data should be accurate and where necessary .

Kept up to date , every reasonable step must be taken to ensure that inaccurate data is erased or rectified without delay .

It is the responsibility of the data controller to ensure data is accurate and to action requests by data subjects to amend or remove inaccurate data .

In addition , the data controller must notify anyone else who has access to the data or processes the data that it has changed unless it requires disproportionate effort .

The third party recipients should then update their records accordingly .

If requested , the data controller must inform the data subject about any data recipients .

Example .

If a person informs their employer that they have married and changed their title to Mrs and their surname from Smith to Jones , their employer must change your systems , which include these details , for example , HR and payroll and inform any third parties who receive the data .

For example , HMRC and their company pension provider , five storage limitation data , should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed .

Data should be kept for the duration of the processing and , if necessary , for a period thereafter as defined by law .

For example , retention of payroll records for HMRC to defend a legal action for business reasons , organisations should have a data retention policy , which states how long each category of data is retained and how it will be destroyed after this period .

Example .

There are different retention periods for different data .

For example , application forms for successful job candidates should be kept for the duration of the employment and payroll and tax information .

HMRC must be kept for seven years , six years plus the current year .

Employers may wish to extend some of these , for example , if they feel they might be needed to defend a legal claim or for company records , perhaps to send a card to everyone who has worked for a company during its 100 year history .

Six .

Integrity and confidentiality data should be processed in a manner that ensures appropriate security of the personal data , including protection against unauthorised or unlawful processing , and against accidental loss , destruction or damage using appropriate technical or organisational measures .

The GDPR requires organisations to complete risk analysis for their systems and implement appropriate technical and organisational measures to mitigate those risks and ensure the security of the data .

Example .

A healthcare company provides their shift managers with laptops to allow them to access patient records to assist their teams during out of hours calls .

The company will need to ensure that the laptop is encrypted and password protected so that data cannot be accessed if the laptop is lost and in addition , they should consider the possibility of a disgruntled employee downloading patient data and disable the use of USB mass storage devices .

Note .

It is not possible to completely remove all risks , but it is essential to assess the major risks and mitigate them .

We will now ask you a short question .

Some time will be left for you to think about the answer .

However , feel free to pause the video after the question is asked to allow yourself enough time to think about the answer .

You do not need to click on the boxes to provide your answer .

The answer will be given shortly after the question has been asked .

If an individual wants an organisation holding their data to amend incorrect information , they must request their data is deleted and resubmit all information .

Inform the Information Commissioner's office , inform the organisation directly , or tell the organisation what systems they would like .

Updated .

The individual must inform the organisation directly .

This is the end of our module .

Four principles .

You can now move on to module five legal basis