As we edge ever closer to the implementation deadline, there are only FIVE weeks to go until the new General Data Protection Regulation (“GDPR”) comes into force. To help you prepare for compliance you can follow LawBite’s easy to digest countdown guides each week from now until enforcement on May 25th, in which we will cover each of the six key principles of the GDPR and explain what you need to do in order to get your business up to speed. This week we talk about the second key principle of GDPR.
Principle 2: Data must be collected for specified, explicit and legitimate purposes.
This key principle states that data shall be collected for specified, legitimate and explicit purposes and not processed further in a manner that is incompatible with those purposes. In our previous article, we talked about data being processed in a transparent manner and transparency is a key theme running through the legislation. The Information Commissioner’s Office (ICO) itself states that the second principle aims to ensure that organisations are open about their reasons for obtaining personal data, and that what they do with the data is within reasonable expectations of the individuals concerned.
So what does this mean in practice, and how can you ensure your organisation is complying?
Firstly, be clear and explicit as to why you are collecting the personal data – it should only be for a specified lawful purpose. If you don’t know the answer as to why you are obtaining the data, the chances are you don’t have a lawful purpose to be doing so!
Be up front – specifying from the outset the purpose or purposes for which you are collecting the data will give clarity to your customers/clients and will help you as an organisation stay focused on what you are doing and why. Set the detail out clearly in any privacy notice you produce and make sure this is made available to individuals at the time their data is collected.
Next, remember the purpose you specify and rely on at the time of collection of data must match with the processing you undertake. When the purpose is different you must check your duties and ensure that the new use or disclosure is fair. If you are using or disclosing the information in a way that is outside what the individual concerned would reasonably expect, or would have an unjustified adverse effect on them, then it is probably unfair and so should be considered as incompatible with the original purpose. Fines against the RSPCA and British Heart Foundation demonstrates how seriously the ICO takes organisations using personal information for purposes that exceed the permissions given. When considering whether another purpose is compatible with the original one, things to look at are: any link with the original purpose; the context in which the personal data has been collected; the possible consequences of the further processing; whether appropriate safeguards are in place.
Finally, complying with your obligations to inform individuals about what you are doing with their data is only part of the story; unfair processing will still be unfair even if you have complied with other obligations. So make sure that box is ticked!
You will hear this again and again whenever GDPR is talked about but clarity and transparency are key. The ICO is very, very big on the use of clear and precise language so spell things out – think carefully about your intended audience and tailor accordingly.
Next week part 3 – the data minimisation principle…..see you next Wednesday!
To consult with Jessica, please submit an enquiry for a free 15-minute consultation or call our dedicated GDPR Hotline 0845 241 1843.
In addition to GDPR templates the package contains a 30 minute GDPR audit consultation and an additional 2 hours of specific GDPR legal advice all for only £495 + VAT (versus £675 + VAT).