GDPR: Getting Data Protection Right (Part 1 - Lawful Processing)
A recent survey conducted by LawInSport found that 84% of 200 sports organisations were not fully aware of the implications of the EU’s General Data Protection Regulation (“GDPR”) for their organisation. With just 3 months to go, it’s critical that your organisation acts now.
This is part one in a series of blogs about Getting Data Protection Right. In this blog, we focus on lawful processing.
A key principle in the GDPR is that data controllers need to process personal data lawfully, fairly and transparently.
This is currently the case anyway under the Data Protection Act 1998 and like the Act, the GDPR sets out the list of lawful justifications for processing - often referred to as the “conditions for processing”. But what is new under the GDPR is an explicit obligation to tell people the legal basis for processing their personal data. So you are going to have to document and communicate this.
Another reason for needing to be clear about your lawful basis for processing personal data is that it affects the extent to which the individual can limit that processing. For example, if you are lawfully processing someone’s personal data because it is necessary for the performance of their employment contract, then they do not have the right to object to that processing.
Practical steps to take now:
- Analyse what your organisation does with personal information and cross-check those activities against the permitted conditions for processing. The ICO’s guidance on this can be accessed here. Note, different rules apply for special categories of personal data.
- Check that you are providing the right information in your privacy notice about what personal data you process, why and how. The ICO’s guidance on this can be accessed here.
At Mills & Reeve we offer a range of products and services relating to GDPR-readiness and data protection – to find out more please contact one of our data protection experts Paul Knight, Sarah Whyman or Edward Hadcock.