Principle 6: The Integrity and Confidentiality Principle
This principle (the only one to deal explicitly with security) states that personal data shall be processed in a manner that ensures appropriate security. This includes protection against unauthorised or unlawful processing, accidental loss, destruction or damage and also covers using appropriate technical or organisational measures. As with many of the other principles under GDPR, this is not materially different to the position under the current Data Protection Act 1998.
GDPR is frustratingly vague when talking about the measures organisations should take to ensure security but comfort can be taken from the fact that so much of this is common sense. Technological and organisational best practices are changing all the time and so when determining what is ‘appropriate’ organisations should look at things in the context of their business and what is currently accepted as best practice in their market. The guidance offered by the ICO states that the cost of implementing appropriate security measures, the nature, scope and context of the information in question and the harm that may result from improper use or from accidental loss or destruction should all be taken into account. Encryption should be used and data should be pseudonymised wherever possible but this is by no means exhaustive - all other appropriate measures should be considered.
Whilst at times the vagueness and complicated language of GDPR may feel like it’s designed to catch-out organisations, another way to view it is that having in place sensible security measures to protect both your systems and the data contained within those systems makes good business sense. It is also more than likely something you have been doing all along! In theory, therefore, compliance with this principle should not represent too much of a headache.
Furthermore, GDPR does not really change the aims and objectives of the eight core principles of the Data Protection Act 1998. These core principles are specifically referred to in the six key GDPR principles we have covered over the past few weeks. The other two, covering data subject rights and data transfers are also referred to elsewhere in the legislation. What GDPR does do is introduce a higher level of compliance for organisations in terms of following good policies and procedures, whilst also requiring documentation of these. Organisations are also required to be completely transparent in their communication with individuals as to how their data is being handled and protected.
As we head into the uncharted territories of the post GDPR world, so much is still unknown. The best you can do to protect your organisation is to ensure your house is in order. Take each of the key principles and think about how you are complying (or not!) and make sure both your thought processes and the resulting policies are written down. There can be a happy ending to your GDPR journey after all and remember Good Data handling Protects Relationships!
To consult with the Lawbrief lawyer Jessica, please submit an enquiry for a free 15-minute consultation or call the dedicated GDPR Hotline 0845 241 1843.
For clients who need last minute help with compliance there is a special GDPR Rescue Package. As well as 12 GDPR compliant templates the package contains a 30 minute GDPR audit consultation and 2 hours of specific GDPR legal advice for only £495 + VAT (versus £675 + VAT). To find out more please click here.
LawBite’s Countdown Checklist for GDPR | Part One LawBite's Countdown Checklist for GDPR | Part Two LawBite's Countdown Checklist for GDPR | Part Three LawBite's Countdown Checklist for GDPR | Part Four LawBite's Countdown Checklist for GDPR | Part Five How LawBite works LawBite GDPR Rescue Package
Read more of our latest blog posts, featuring all the latest legal news, analysis and opinion from our expert lawyers.
- By Lawbite Team
- March 16, 2021
Every start-up business needs the law. Unfortunately, many cut corners or worse still, ignore the legal side of their business all together. Here's...
- By Lawbite Team
- November 16, 2020
The supervisory authority for GDPR compliance, the Information Commissioner's Office (ICO), has recently published its decision to fine British Air...
- By Lawbite Team
- March 26, 2020
Many businesses have needed to adapt and embrace remote working. For many, this can raise new working practices and question how data is managed wi...
LawBite can help you
LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.
Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.