Principle 6: The Integrity and Confidentiality Principle
This principle (the only one to deal explicitly with security) states that personal data shall be processed in a manner that ensures appropriate security. This includes protection against unauthorised or unlawful processing, accidental loss, destruction or damage and also covers using appropriate technical or organisational measures. As with many of the other principles under GDPR, this is not materially different to the position under the current Data Protection Act 1998.
GDPR is frustratingly vague when talking about the measures organisations should take to ensure security but comfort can be taken from the fact that so much of this is common sense. Technological and organisational best practices are changing all the time and so when determining what is ‘appropriate’ organisations should look at things in the context of their business and what is currently accepted as best practice in their market. The guidance offered by the ICO states that the cost of implementing appropriate security measures, the nature, scope and context of the information in question and the harm that may result from improper use or from accidental loss or destruction should all be taken into account. Encryption should be used and data should be pseudonymised wherever possible but this is by no means exhaustive - all other appropriate measures should be considered.
Whilst at times the vagueness and complicated language of GDPR may feel like it’s designed to catch-out organisations, another way to view it is that having in place sensible security measures to protect both your systems and the data contained within those systems makes good business sense. It is also more than likely something you have been doing all along! In theory, therefore, compliance with this principle should not represent too much of a headache.
Furthermore, GDPR does not really change the aims and objectives of the eight core principles of the Data Protection Act 1998. These core principles are specifically referred to in the six key GDPR principles we have covered over the past few weeks. The other two, covering data subject rights and data transfers are also referred to elsewhere in the legislation. What GDPR does do is introduce a higher level of compliance for organisations in terms of following good policies and procedures, whilst also requiring documentation of these. Organisations are also required to be completely transparent in their communication with individuals as to how their data is being handled and protected.
As we head into the uncharted territories of the post GDPR world, so much is still unknown. The best you can do to protect your organisation is to ensure your house is in order. Take each of the key principles and think about how you are complying (or not!) and make sure both your thought processes and the resulting policies are written down. There can be a happy ending to your GDPR journey after all and remember Good Data handling Protects Relationships!
To consult with the Lawbrief lawyer Jessica, please submit an enquiry for a free 15-minute consultation or call the dedicated GDPR Hotline 0845 241 1843.
For clients who need last minute help with compliance there is a special GDPR Rescue Package. As well as 12 GDPR compliant templates the package contains a 30 minute GDPR audit consultation and 2 hours of specific GDPR legal advice for only £495 + VAT (versus £675 + VAT). To find out more please click here.
LawBite’s Countdown Checklist for GDPR | Part One LawBite's Countdown Checklist for GDPR | Part Two LawBite's Countdown Checklist for GDPR | Part Three LawBite's Countdown Checklist for GDPR | Part Four LawBite's Countdown Checklist for GDPR | Part Five How LawBite works LawBite GDPR Rescue Package