As part of our commitment to continually improve our service and to help our clients meet their legal obligations, we continue to update the Legal Registers on our website and provide free quarterly legal compliance updates to anyone who subscribes. The purpose of these updates is to ensure you stay up to date with any changes in your legal compliance obligations, our updates can also be kept and can be used as evidence that your business is staying up to date with any changes in the legislation, this can be very helpful at audit time.
The GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). It defines the requirements applicable to the management of personal data.
Personal data is information that relates, either directly or indirectly, to an individual. That individual must be identified or identifiable either directly or indirectly from one or more identifiers or from factors specific to the individual.
The GDPR covers the processing of personal data in two ways: personal data processed wholly or partly by automated means (that is, information in electronic form); and personal data processed in a non-automated manner which forms part of, or is intended to form part of, a 'filing system' (that is, manual information in a filing system).
Some of the personal data you process can be more sensitive in nature and therefore requires a higher level of protection. The GDPR refers to these types of data as 'special categories of personal data'. This includes personal data about an individual's: race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where this is used for identification purposes), health data, sex life, criminal convictions and offences or sexual orientation.
Your obligations under the GDPR will vary depending on whether you are a controller, joint controller or processor, Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data.
If two or more controllers jointly determine the purposes and means of the processing of the same personal data, they are joint controllers. However, they are not joint controllers if they are processing the same data for different purposes. Processors act on behalf of, and only on the instructions of, the relevant controller. The controller must: identify valid legal grounds under the GDPR (known as a 'lawful basis') for collecting and processing personal data. ensure that you do not do anything with the data in breach of any other laws. use personal data in a way that is fair.
This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.be clear, open and honest with people from the start about how you will use their personal data, provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, information on security measures implemented, information relating to subject access procedures as well as information on who data will be shared with. This is generally called 'privacy information'.
GDPR is applicable within the EU but may also extend to the processing of data of EU citizens in locations outside of the EU.
*Please refer to the Terms and Conditions in our footer.
Including our quarterly legal compliance updates that are a great resource for evidence for your ISO audits.