Straight from the horse’s mouth – Applying the Principles of GDPR Easily in Real Life
There are seven basic principles of GDPR. They are lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality (that’s basically security), and then finally, accountability.
Before we jump in… I recently explored this subject with the owner of a livery yard. It was an excellent learning experience for me. An opportunity to look at the theory put into practice!
Lawfulness, fairness & transparency
The first principle is lawfulness, fairness and transparency.
The lawfully refers to the legal basis on which you process personal data. That includes things such as consent, contractual obligations, legal obligations, legitimate interest, and so on. Included in that list is vital interests of the individual, which isn’t something you may consider, however, here’s a real-life example:
The lawful basis of vital interests is where someone’s life may rely on the processing of their personal data and, in this case, it relates to a stables and the fact that horse riding can be potentially dangerous. The need to have dates of birth or relevant medical condition is connected to a question the paramedics, for example, may ask.
Fairness is all about not doing anything unexpected with the data.
For instance, if somebody (only) signs up to a networking group they wouldn’t then expect to be receiving advertising emails from a third party. If they’ve given their consent for the additional use, then that’s a different thing, of course. This is a genuine example of what actually happened. It was a business networking group that really should know better.
The third item in this Principle is transparency. That is being clear and unambiguous in the explanations you provide. Probably the most well-known and on show document is a business’s Privacy Notice. You can see why it’s such an important document; it’s like a promise saying if you trust me with your data, this is what I’m going to do with it… and nothing else.
In our stables, a local address and contact details are essential in case of someone abandoning their horse… yes, this does happen. The point is that, if someone asked why the information was needed, the justification is clear and valid.
The lawful basis for this is contractual as it’s built into the T&Cs, however, it could have been any one of several. When you put the reason why you collect information, you just rely on one; you can’t have a whole bouquet of them!
The second principle of GDPR is purpose limitation. The bottom line with this is that you must only process the data for the specific purpose(s) you have stated. You need to have evidence that what you say you do is actually what you do.
An example of this (not our stables in this case) would be collecting dates of birth for the purpose of sending out a birthday card or sending birthday greetings. The evidence side of this would be a note in the Policy of the business plus a record of the cards or greetings sent.
In a nutshell, only gather what you absolutely need and can justify. Make sure you only keep it for as long as you need it. Setting your timescales and simple ways of checking up (on yourself, if you’re like me) to be sure you delete/destroy data that has reached the end of its life.
The next Principle of GDPR is the accuracy of the data you hold/use.
For the stables, this is a simple matter of either asking for a paper-based record check or sending an email to ask the client to confirm that the details they gave (say a year ago) is unchanged and explaining what to do if anything is different.
For a business that sends marketing emails, checks or updates can be handled by a well-designed email sequence sending out an annual email asking if this is still the preferred email address. Of course, if they don’t answer at all, then you can sideline that email address, after cross-checking your email statistics to see if there are hard bounces, etc. The moral being, avoid damaging your deliverability and keep your costs down.
Storage limitation is all about how long you hold data for. There are legal requirements in, for example, tax records but other records will depend on what you decide, record and can justify).
If your business provides quotes or an enquiry service, you will have data from people who don’t proceed any further with a contract of any sort. Decide how long you need to keep that, put it in your policy and Privacy Notice.
Integrity and confidentiality
The next is integrity and confidentiality, which all aspects of the security of the data. That incorporates physical security as well as cybersecurity.
At the stables, the physical records are in a filing system inside a locked office to which only the business owner has access. In other businesses where access to the office isn’t so strictly controlled, locked filing cabinets might also be used. It depends on the circumstances and taking reasonable steps with the measures in place. Horses for courses, if you like. (Ouch!)
Digital data has a whole set of precautions you can take ranging from making sure nobody sees the computer screen to when you are doing online video calls, making sure nothing is visible that shouldn’t be to the other people. You may have seen the recent story about the 3d property viewing that showed far more than it should have done!
Other security precautions include:
- Multifactor Authentication (MFA or 2FA) – always use it if it’s offered.
- Install good quality anti-virus software and keep it updated (same with your operating system and apps).
- Encrypt your devices and set up remote wipe – if you do and a device is lost, it won’t have to be reported as a breach.
- Use a password manager – save your memory and get an easy generation of tough to crack passwords.
- Secure your website – the risk of your brand being damaged is very high if you haven’t done so.
- Destroying data securely can mean using a cross-cut shredder or making sure digital files are digitally shredded. Deleting and emptying the trash just frees up the storage, it doesn’t remove the data.
- You need to think about how to safely dispose of old devices. Old devices may not work but they could still have data on them. There is also the environmental issue of safe destruction, which has to be considered. There are many companies who will dispose of devices properly and give you a certificate, which you can then keep in your records.
The final principle of GDPR is the overarching principle and that is accountability. As a controller, you are responsible for meeting all of these requirements. How you achieve that is up to you, but you do need to be able to show evidence if asked. I’m glad to say that the stables are looking good and are well on their way to having an easily sustainable GDPR compliance set-up!