| Data Protection and Data Security Policy
| Definitions within the GDPR
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
In terms of this policy, Controller is synonymous with the firm and its obligations.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
“Recipient” means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
“Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
“Binding corporate rules” means personal data protection policies which are adhered to by a controller or processor established on the territory of a Member State for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;
“ICO” means the Information Commissioner’s Office, the regulator of data protection for the United Kingdom
This data policy and procedure demonstrate the firm’s commitment to responsibility and accountability of data protection, the document establishes the firm’s understanding of data protection and data security. Relevant decisions made by senior management and relevant individuals at the firm are required to review the policy prior to making any decision which uses personal data of a data subject. Employees are required to read and understand the policy in order to process personal data.
| The Seven key Principles of the GDPR:
The GDPR outlines the seven key principles for the processing of personal data.
- Lawfulness, fairness and transparency;
- purpose limitation;
- data minimisation;
- Storage limitation;
- Integrity and confidentiality (security); and
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them is collected and processed. The principle of transparency requires that any information and communication relating to the processing of personal data be easily accessible and easy to understand, and that clear and plain language be used. The principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed.
Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of personal data.
The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.
| Lawful Basis for Processing
In order for a data controller to process data, the controller requires a lawful basis to do so. If the controller has no lawful basis to process the personal data of the subject then the processing will be unlawful, in which the controller may face enforcement action from the ICO or other European regulatory bodies if the enforcement action requires cross-border co-operation.
There are 6 lawful bases for processing which may be applicable to data controllers. The GDPR’s requirement that processing is transparent requires that in the privacy notice the controller must outline which lawful basis will be used by the firm and at which point in the data processing cycle, for example, a firm may rely on consent to process the data originally, however, to store the data they rely on compliance with a legal obligation etc. One lawful basis will not always be applicable for the whole processing the controller undergoes on the personal data.
The following are the legal bases for processing data:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
For the purposes of this data protection policy, the two categories of legal bases which are not self-explanatory are point (1) consent and (6) legitimate interests. These will both be outlined separately below.
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to them, such as by written statement, including by electronic means, or an oral statement. Recital 32 of the GDPR indicates that consent can be obtained by ticking a box when visiting an internet site (opt-in box). However pre-ticked boxes are seen as a breach of the consent rules as this is not an unambiguous indication of a data subjects’ consent. Additionally, consent cannot be bundled with other terms, e.g. terms and conditions to service. Consent to data processing must be obtained separately from any other requirement the controller places on the subject.
Where the processing is based on consent the data controller has a burden to prove that consent had been freely given by the data subject. For consent to be informed, the data subject should be aware of at least the identity of the controller and the purposes of the processing for which the personal data is intended.
Of importance, consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment, in addition, Recital 43 outlines that if there is a clear imbalance of power between the controller and subject consent is difficult to be obtained freely. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case.
Consent as a legal basis for processing is the most commonly used, however, it may not be the most appropriate in all circumstances. Situations where consent is not appropriate include where the customer has no real choice in consenting to how their data will be processed.
Legitimate interest is the most flexible lawful basis for processing. Utilising legitimate interests means the data controller is taking on extra responsibility for considering and protecting individual rights and freedoms, as there is a possibility that legitimate interests of the controller may detriment individuals fundamental rights. There is a three-element test (“Legitimate Interest Assessment”, “LIA”) to realise whether legitimate interest is an appropriate lawful basis for processing:
- Identify a legitimate interest of the controller or a third party;
- Show that the processing is necessary to achieve the legitimate interest; and
- Balance the processing against the data subjects’ interests, rights and freedoms.
A wide range of interests may be legitimate interests, these can be commercial interests as well as other wider societal benefits, they may be compelling or trivial.
The Legitimate Interest Assessment must be recorded and retained for as long as necessary to demonstrate to regulators that a legitimate interest has been utilised as a lawful basis for processing. There is no standard format for an LIA, however, it is important to show that the controller has proper decision-making processes in place to justify the outcome of the LIA.
The GDPR further requires the data controller to notify the subject of any legitimate interests which may be used to process personal data. This is to be used in conjunction with the right to be informed.
What is necessary
Each lawful basis for processing requires the processing to be necessary, except consent. Processing is necessary only if the effect which the processing would produce cannot be done without processing personal data. For example, it is not necessary for processing personal data for the sale of a chocolate bar but would be necessary to process personal data to provide somebody with a car quote.
| The Main Rights for Data Subjects under the Data Protection Act 2018
When processing personal data, controllers have an obligation to provide data subjects the following fundamental rights:
- The right to be informed;
- The right of access;
- The right of rectification;
- The right to erasure;
- The right to restriction of processing;
- The right to data portability;
- The right to object; and
- Rights against automated decision making, including profiling.
| The Right to be Informed
The Principle of lawfulness, fairness and transparent processing requires that the data subject be informed of the existence of the processing operation and the purpose of the processing. The right to be informed encompasses the controller’s obligation to provide the fair processing of information. The mode of communication for the right to be informed is typically through a privacy notice.
The right to be informed can be met by placing a privacy notice on the controller’s website. Data subjects should be made aware of the notice and give them an easy way to access it:
- The notice is required to be fair and transparent, concise, intelligible, and uses clear plain language;
- The notice is required to be in a prominent location; and
- The notice is required to be easily accessible, e.g. not locked being security walls
What Information Must be Supplied?
Article 13 of the General Data Protection Regulation sets out the information that the controller should supply to the data subject upon collection of their data, in any case, this information should be provided in the privacy notice.
We are mandated to supply the following:
- The identity and contact details of the controller and, where applicable, of the controller’s representative;
- The contact details of the Data Protection Officer, where applicable;
- The purposes for the processing for which the personal data are intended as well as the legal basis for the processing;
- Where the processing is based on ‘legitimate interests’, the legitimate interested pursued by the controller or by a third party;
- The recipient or categories of recipients of the personal data
- The fact that the controller intends to transfer personal data to a third country or international organisation
- The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- The existence of data subject rights:
- The right to be informed;
- The right of access;
- The right of rectification;
- The right to erasure;
- The right to restriction of processing;
- The right to data portability;
- The right to object; and
- Rights against automated decision making, including profiling.
- How to exercise each data subject right against the data controller
- When processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
The privacy notice is required to be regularly reviewed to ensure that it remains compliant with the GDPR. Regular data audits should be carried out by the controller to make certain the privacy notice and policy is up to date and fit for purpose.
Non-Privacy notice approach
The right to be informed places an obligation on the data controller to provide the relevant information to data subjects when that data is collected, regardless of the medium of collection. As stated above, the likeliest method of providing information to data subject is a privacy notice on the controller’s website. This is not the only method, and in many cases this may not be the most appropriate method of informing the data subject of the relevant information.
Privacy notices have limited applicability in situations where data has been purchased from a third-party, e.g. a data farmer. The right to be informed extends beyond the need for a privacy notice. The right to be informed is not conditional and applies to all methods of data collection. As such, techniques to satisfy the right to be informed extend beyond a privacy notice and include:
- A layered approach – short notices containing key privacy information that have additional layers of more detailed information.
- Dashboards – preference management tools that inform people how you use their data and allow them to manage what happens with it.
- Just-in-time notices – relevant and focused privacy information delivered at the time you collect individual pieces of information about people.
- Icons – small, meaningful, symbols that indicate the existence of a particular type of data processing.
- Mobile and smart device functionalities – including pop-ups, voice alerts and mobile device gestures.
A privacy notice should be accompanied by the layered approach. The above applies to each method of data collection, including bought data, websites, face-to-face, data mining, etc.
The right to be informed is obligatory for those who control data. Failure to accurately uphold the right to be informed will constitute a breach of the General Data Protection Regulation.
| The Right to Access
Under the General Data Protection Regulation, individuals have the right to obtain, from the controller, confirmation as to whether or not personal data concerning the subject is being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The data subject access request will be free of charge unless the request is deemed excessive. The deadline to respond to a data subject access request is one month from the date of submission. There is no prescribed method of making a data subject access request, a data subject can submit a request in any medium they wish.
| The Right to Rectification
Under the General Data Protection Regulation, data subjects have the right to rectify any personal data which may be inaccurate or complete any data records which may be incomplete. The right to rectification is closely linked with the Accuracy principle of the GDPR, if the controller receives a request of rectification from a data subject, they are required to take reasonable steps to either, make certain the data is accurate or rectify as necessary.
Where the controller would be required to rectify the personal data, but the data must be maintained for the purposes of evidence, they must restrict the personal data’s processing, and not rectify the record.
| The Right to Data Portability
The right to data portability allows data subjects to obtain and reuse their personal data, the right to data portability is not restricted by the services the firm provides. The data subject can request data portability for their own purposes, including but not limited to, moving, copying, transferring personal data in a safe and secure way, without affecting the data’s usability.
The right only applies to information a data subject has provided to the controller, e.g. if a controller receives personal data from a third party on the data subject the right of data portability does not extend to this data. Additionally, the right to data portability only applies when the controller's lawful basis for processing is:
- Performance of a contract; or
- The processing is carried out by automated means (e.g. excluding paper files).
Any request for data portability shall be done so without hindrance, which means the controller cannot place any legal, technical or financial obstacles in place which slow down or prevent the transmission of the personal data to the individual, or to another organisation.
The right to data portability is closely linked with the right to access data. The processes the controller undergoes will be similar to that of subject access.
| The Right to Restrict Processing
Under the General Data Protection Regulation, data subjects have a right to restrict the processing of their personal data. Data subjects shall have the right to obtain a restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- The data subject has objected to processing pursuant to Article 21(1) (right to object) pending the verification whether the legitimate grounds of the controller override those of the data subject.
The right to restrict processing is not always obligatory, and only applies in the above circumstances. Methods to restrict processing after a request include:
- Temporarily moving the selected data to another processing system;
- Making the selected personal data unavailable to users; and
- Temporarily removing publish data from a website.
The fact that the processing of personal data is restricted should be clearly indicated to all individuals at the controller by being indicated on the system. The controller is only permitted to store data when a restriction is placed, unless:
- We have the individuals consent to the specific processing;
- It is for the establishment, exercise or defence of legal claims;
- It is for the protection of the rights of another person (natural or legal); or
- It is for reasons of important public interest.
| The Right to Erasure
The GDPR introduced a right for data subjects to have their personal data erased. The right is not absolute, this means that customers can only request the right of erasure in certain circumstances. The circumstances in which the right of erasure can be brought are the following:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
- The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
- The personal data have been unlawfully processed;
- The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- The personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
The controller is not required to comply with a request for erasure if the request does not meet the requirements above, additionally, the controller is not required to comply with the request if any of the below exemptions apply:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defence of legal claims.
Where the controller is required to erase the data subjects personal data they are obligated to erase the data from both live and backup systems. The controller must immediately remove personal data from the live systems. If the controller cannot immediately erase data from our backup system, they are required to be absolutely clear to data subjects on the timescales for erasure on our backup system, the controller must then begin to ensure the personal data is ‘beyond use’ which cannot be accessed by any member of staff. Personal data will remain beyond use until it can be erased on the backup system.
Supplementary information for the above rights
The Data Protection Act 2018 provides supplementary information for the above data subject rights. Where a data subject requests to exercise any right, the controller is required to inform the data subject, in writing – whether the request has been granted or refused. If the request has been refused then the controller is obligated to notify the subject in writing the reasons for the refusal, the data subjects right to make a request to the Commissioner under section 51, the data subjects right to lodge a complaint with the Commissioner, and the data subject’s right to apply to a court under section 167. The controller must send the written letter stating the outcome of the request, and subsequent information, without undue delay.
The controller may restrict what information we provide to the customer in our written response of refusal if any of the following apply:
- avoid obstructing an official or legal inquiry, investigation or procedure;
- avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
- protect public security;
- protect national security;
- protect the rights and freedoms of others.
Where the controller has decided to restrict the provision of information to the data subject, as above, they are required to record the reasoning for restriction, and if requested provide this information to the Commissioner.
Where the controller accepts a request for erasure, restriction or rectification which has been disclosed by the controller to a recipient, they are required to notify each recipient of the data who are then obligated to erase, restrict or rectify the personal data of the data subject.
| The Right to Object
The General Data Protection Regulation provides data subjects the right to object to the processing of their personal data at any time. Data subjects can object to the processing of their personal data in certain circumstances if the below circumstance applies then the right of objection is absolute:
- Direct marketing purposes
Data subjects exercising the right to object in relation to direct marketing is absolute and cannot be contested. If a request of objection is made for direct marketing purposes, then personal data shall no longer be processed for the use of direct marketing. Controllers can still process the data; however, the processing can no longer be for the purposes of direct marketing.
Data subjects have the right to object to processing in other circumstances, however, in the circumstances mentioned below the right is not absolute:
- Processing for a ‘public task’ – for the performance of a task carried out in the public interest,
- Processing for a ‘public task’ – for the exercise of official authority vested in ourselves,
- Processing based on legitimate interests
Data subjects can exercise the right to object to processing in the above circumstances, however, this has to be on grounds relating to their particular situation, and this is not absolute and can be contested by the controller in the situations where they can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or whether the processing is for the establishment, exercise or defence of legal claims.
The controller is obliged to inform the individual of their right to object to the processing at the point of first communication, and in the privacy notice.
| Rights concerning automated individual decision-making, including profiling
Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject, or similarly significantly affects. This means that the data controller cannot subject the data subject to an automated decision, e.g. an automated decision to grant a loan. However, the previous provision does not apply in the following three circumstances:
- The processing is necessary for entering into, or performance of, a contract between the data subject and a data controller;
- The processing is authorised by Union or Member State law to which the controller is subject; or
- The processing is based on the data subject’s explicit consent.
In addition to the above, the ICO has outlined additional requirements in relation to automated individual decision making:
- Provide meaningful information about the logic involved in the decision-making process, as well as the significance and the envisaged consequences for the individual;
- Use appropriate mathematical or statistical procedures;
- Ensure that individuals can:
- Obtain human intervention;
- Express their point of view; and
- Obtain an explanation of the decision and challenge it;
- Put appropriate technical and organisational measures in place, so that you can correct inaccuracies and minimise the risk of errors;
- Secure personal data in a way that is proportionate to the risk to the interests and rights of the individual, and that prevents discriminatory effects.
Automated decisions which do not produce legal effects or similarly significantly affects do not fall within the provisions of GDPR Article 22, however, the decision making will be subject to the data protection principles and relevant provisions in the GDPR.
| The effect of Article 12 GDPR
The exercise of each of the above data subject rights is given further information by way of Article 12 GDPR. The Article outlines the requirements on the data controller when responding to the exercise of a data subject right. These include:
- Information provided to the data subject should be concise, transparent, intelligible, easily accessible and use clear and plain language;
- Information shall be provided in writing, or by other means, including electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven;
- The controller must provide a response to the data subject without undue delay and in any event within one month of receipt of the request (updated ICO guidance means that the day a request to exercise data subject rights is received by a firm that day counts as ‘day 1’) This period may be extended by two further months where necessary, taking into account the complexity and number of requests, if the controller wishes to extend the deadline then the data subject has to be notified in writing with the reason for the delay;
- If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
- The information provided from the exercise of data subject rights shall be provided free of charge. However, where requests from a data subject are manifestly unfounded or excessive, the controller may charge a reasonable fee or refuse to act on the request. It is the burden of the data controller to demonstrate that the request is manifestly unfounded or excessive.
- The controller may request the provision of additional information necessary to confirm the identity of the data subject.
Article 12 of the GDPR further provides data controllers with the right to refuse an exercise of data subject rights if any of the following are satisfied:
- The personal data of the data subject is no longer recognised as personal data – e.g. if the data has been anonymised;
- Where the controller is not satisfied that the request is made by the individual who the personal data relates; and
- Where the request is manifestly unfounded or excessive.
| Accountability and Governance
Article 5 of the GDPR prescribes that it is the controller’s responsibility for, and able to demonstrate compliance with, the principles. This is known as the accountability requirement of the GDPR. The controller is required to be responsible for their own compliance with the GDPR, including the compliance of any of its employees or individuals who have access to the data the controller holds, additionally they must be able to demonstrate that they are compliant, e.g. making records of lawful basis for processing, recording any exercise of data subject rights and the outcomes of these etc.
| Data Storage
The GDPR provides that data records shall only be maintained for as long as ‘necessary’, if the processing is no longer necessary e.g. the controller no longer has a lawful basis to process (store) the data, then the controller should erase the data. Without prejudice to any regulatory requirements, which is a legal obligation lawful basis, data requirements will be retained for only as long as strictly necessary for the controller’s data processing activity.
As part of the controller’s documentation they retain personal information which pertains to the following, please note this is not exhaustive:
- Information required to enter and effect a contract between the controller and the data subject;
- Information required under a legal obligation, in this case the regulatory requirements set by the Financial Conduct Authority
- Information required to be held under the GDPR – e.g. records of consent and LIA’s
| Anonymisation and Pseudonymisation
The GDPR provides that anonymisation of personal data ensures that the data subject is no longer identifiable, and therefore the data is no longer personal data, in which the GDPR no longer applies. The controller is not required to anonymise data, however, without prejudice to data storage the controller may wish to anonymise data and retain the data for the controller’s own purposes. Data subjects will have no rights in relation to data which has been anonymised as they are no longer identifiable. The controller may choose to anonymise data which it may otherwise destroy. Personal data will not be regarded as anonymised if at any time an individual could access the data and identify any person in the data set.
Pseudonymisation on the other hand does not ensure that data subjects are no longer identifiable, the process of pseudonymisation is a security measure the data controller may wish to use in order to protect data subject’s personal data, or to demonstrate the controller's compliance with the Principles outlined in the GDPR. Data subjects will be able to exercise their data subject rights in relation to data which has undergone the pseudonymisation process.
| Data Minimisation
In line with the controller’s accountability obligations in relation to the Principles, only data which is required for the processing is processed. The controller only collects and processes personal data which is required. For example, when collecting data on Jane Smith for an application, the controller only collects data on Jane Smith who is undergoing the application and not every Jane Smith in the United Kingdom.
Under the GDPR Principles, the data controller is required to store the data with appropriate security, including protection against unauthorised or unlawful processing, against accidental loss and destruction or damage. The security principle covers cybersecurity (e.g. ensuring the network which hosts the data is secure and resilient against cyber-attacks), physical security and organisation security.
To ensure data is stored securely in the cyberspace by either the controller or a processor whom the controller has a contract with (e.g. cloud hosting services) the controller has to take into account the following:
- The physical location of asset storage – e.g. is the cloud hosted in France or a politically exposed country
- The security of the data centre itself – e.g. does the tangible storage have physical protection i.e. a security guard and barbed wire fences
- The data at rest protection
- The data sanitisation policy of the firm
- Equipment disposal of outdated hardware
- Physical resilience and availability of systems in downtime attacks
Where the controller hosts the personal data on their own software then the above requirements will be reviewed on the controller's software.
The controller is further required to ensure that the physical security of assets which host the data is secured, this includes company laptops and tangible files etc. The controller is obliged to protect devices in such a way which ensures the security of physical assets, this may include but not limited to:
- Password protected devices;
- Encrypted data storage;
- Pseudonymised data; and
- Premises are secured and alarms and locks are kept up to date.
There is no one size fits all approach in the GDPR to security, as such, the controller is required to implement a risk-based approach. Wherever the risk of a data breach is high then the controller needs to implement more safeguards to protect the data subjects data.
| Data Breaches
The GDPR implements a process where the controller's data breaches are required to be reported to relevant regulatory authority, in the case of the United Kingdom, the ICO.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are a result of both accidental and maleficent causes. Once a breach has occurred, however small, the controller must establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk to the rights and freedoms of the data subject then the controller must notify the ICO, if it is unlikely that the rights and freedoms of the data subject will be affected then this breach does not need to be reported to the ICO.
It is for the controller to determine whether the breach needs to be reported to the ICO. Reporting to the ICO of a data breach has a lower threshold of reporting to the data subject who has suffered the harm. The threshold in which the data controller is required to notify the data subject of the breach is when there is a highrisk to the subjects rights and freedoms.
In any case when determining whether a data breach is required to be notified to the ICO or the data subject the controller is required to document the decision-making process in order to fulfil the accountability principle of the GDPR.
Failure to disclose a breach which is required can amount to a breach of the GDPR and enforcement action can be taken by the ICO, including a significant fine up to €10million or 2percent of the controller’s global turnover.
| International Transfers
The GDPR implemented the notion of restricted data transfers to countries outside of the European Economic Area or international organisations who may host the data outside of the EEA. The restriction on international data transfer applies to all data transfers, no matter the size. The transfer restriction applies on a legal entity level, as such transferrals to an international parent undertaking is a restricted transfer.
In order to transfer data without breaching the restriction rules, the controller is required to ensure that the nation which as not included within the EEA has an “adequacy decision” from the EU Commission. The decision is a finding by the Commission that the legal framework in place in the country provides adequate protection for individuals’ rights and freedoms for their personal data. A list of adequacy decisions which the Commission has found can be viewed on the Commissions data protection website. If an adequacy decision is in place, then the transfer of data is no longer a restricted transfer and can thus be affected.
If the country in question does not have an adequacy decision made by the Commission, the controller should establish whether the transfer can be subject to “appropriate safeguards”, which are listed in the GDPR. These safeguards ensure that both the controller and the receiver of the transfer are legally required to protect the individual’s rights and freedoms. The safeguards are the following:
- A legally binding and enforceable instrument between public authorities or bodies
- Binding corporate rules
- Standard data protection clauses adopted by the Commission
- Standard data protection clauses adopted by a supervisory authority and approved by the Commission.
- An approved code of conduct together with binding and enforceable commitments of the receiver outside the EEA
- Certification under an approved certification mechanism together with binding and enforceable commitments of the receiver outside the EEA
- Contractual clauses authorised by a supervisory authority
- Administrative arrangements between public authorities or bodies which include enforceable and effective rights for the individuals whose personal data is transferred, and which have been authorised by a supervisory authority
If an adequacy decision has not been found by the Commission and there are no appropriate safeguards in place the controller should not make any restricted transfer unless the transfer falls into an exemption of:
- Has the individual given his or her explicit consent to the restricted transfer?
- Do you have a contract with the individual? Is the restricted transfer necessary for you to perform that contract?
- Do you have (or are you entering into) a contract with an individual which benefits another individual whose data is being transferred? Is that transfer necessary for you to either enter into that contract or perform that contract?
These exemptions can only be utilised for occasionally restricted transfers.
If none of the above is available to the controller then no restricted transfer can be made.
The above restricted transfer rules do not apply to transfers within the EEA, if a data transfer occurs from one organisation to another in which both are located in the EEA then the GDPR applies in full, transferring is regarded as processing as such a legal basis for processing is required to transfer data to an EEA organisation.