As we edge ever closer to the implementation deadline, there are only FIVE weeks to go until the new General Data Protection Regulation (“GDPR”) comes into force. To help you prepare for compliance you can follow LawBite’s easy to digest countdown guides each week from now until enforcement on May 25th, in which we will cover each of the six key principles of the GDPR and explain what you need to do in order to get your business up to speed. This week we talk about the second key principle of GDPR. Principle 2: Data must be collected for specified, explicit and legitimate purposes.
This key principle states that data shall be collected for specified, legitimate and explicit purposes and not processed further in a manner that is incompatible with those purposes. In our previous article, we talked about data being processed in a transparent manner and transparency is a key theme running through the legislation. The Information Commissioner’s Office (ICO) itself states that the second principle aims to ensure that organisations are open about their reasons for obtaining personal data, and that what they do with the data is within reasonable expectations of the individuals concerned.
So what does this mean in practice, and how can you ensure your organisation is complying?
Firstly, be clear and explicit as to why you are collecting the personal data – it should only be for a specified lawful purpose. If you don’t know the answer as to why you are obtaining the data, the chances are you don’t have a lawful purpose to be doing so!
Be up front – specifying from the outset the purpose or purposes for which you are collecting the data will give clarity to your customers/clients and will help you as an organisation stay focused on what you are doing and why. Set the detail out clearly in any privacy notice you produce and make sure this is made available to individuals at the time their data is collected.
Next, remember the purpose you specify and rely on at the time of collection of data must match with the processing you undertake. When the purpose is different you must check your duties and ensure that the new use or disclosure is fair. If you are using or disclosing the information in a way that is outside what the individual concerned would reasonably expect, or would have an unjustified adverse effect on them, then it is probably unfair and so should be considered as incompatible with the original purpose. Fines against the RSPCA and British Heart Foundation demonstrates how seriously the ICO takes organisations using personal information for purposes that exceed the permissions given. When considering whether another purpose is compatible with the original one, things to look at are: any link with the original purpose; the context in which the personal data has been collected; the possible consequences of the further processing; whether appropriate safeguards are in place.
Finally, complying with your obligations to inform individuals about what you are doing with their data is only part of the story; unfair processing will still be unfair even if you have complied with other obligations. So make sure that box is ticked!
You will hear this again and again whenever GDPR is talked about but clarity and transparency are key. The ICO is very, very big on the use of clear and precise language so spell things out – think carefully about your intended audience and tailor accordingly.
Next week part 3 – the data minimisation principle…..see you next Wednesday!
To consult with Jessica, please submit an enquiry for a free 15-minute consultation or call our dedicated GDPR Hotline 0845 241 1843.
In addition to GDPR templates the package contains a 30 minute GDPR audit consultation and an additional 2 hours of specific GDPR legal advice all for only £495 + VAT (versus £675 + VAT).LawBite’s Countdown Checklist for GDPR | Part One How LawBite works LawBite GDPR Rescue Package
Read our latest blog posts on GDPR, featuring all the latest legal news, analysis and opinion from our expert lawyers.
- By Lawbite Team
- March 26, 2020
Many businesses have needed to adapt and embrace remote working. For many, this can raise new working practices and question how data is managed wi...
- By Lawbite Team
- March 19, 2020
Coronavirus and its spread across borders is a concern for employers and employees. While employers will be concerned to ensure their business’ con...
- By Lawbite Team
- January 30, 2020
The ICO has published a statement on GDPR compliance after 31 January 2020 (the day that the UK leaves the European Union). There are no big surp...
LawBite can help you
LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.
Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.