The General Data Protection Regulation (GDPR) is a significant change to the Data Protection Laws of the European Union (EU). There is much to be done to prepare for GDPR and to ensure continued compliance and the guidance notes that the programme has developed can help staff to prepare for GDPR.
GDPR applies to information relating to people
- Personal data
The GDPR applies to ‘personal data’ meaning any information relating to an identified or identifiable person.
This definition means a wide range of personal identifiers would constitute personal data, including name, identification number, location data or online identities. This reflects changes in technology and the way organisations collect information about people.
The GDPR applies to both personal data held electronically and in manual filing systems This could include chronologically ordered sets of manual records containing personal data and email.
Personal data that has been pseudonymised – eg key-coded – falls within the scope of the GDPR.
- Special category personal data
The GDPR refers to sensitive personal data as “special categories of personal data” and is data that is seen as being particularly sensitive and that needs to be processed by organisations with extra care and attention
The special categories specifically include health, trade union membership, ethnic origin, religious / philosophical belief, sexual orientation, genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
- Determining the lawful basis for processing
When you are processing personal data, you must establish your ‘lawful basis to do so’. Please be aware that under GDPR you need a lawful basis for processing each of the data categories i.e. 'a lawful basis' to process 'personal data' and a separate lawful basis to process 'special category' data (these can sometimes be the same lawful basis).
To find your lawful basis, please use the ICO lawful basis interactive guidance tool
- What to do if you find that you have retained personal data which you no longer require?
If you have identified that you are holding personal data that you are certain you no longer require please do not delete the data.You should undertake the following steps:
- Document the location of the data.
- Document a summary of the data for your records.
- Undertake an exercise to try to identify if there are any other copies of the data elsewhere e.g. have any copies been made by other members of your team/department?
- Document where any copies are, and await further guidance.
The GDPR programme is not advising staff to delete data at this stage. The programme is in an investigation phase and we are looking to identify the areas where data is held. Once this stage has completed we will establish processes for cataloguing data and for the secure deletion of data that is not required. This is to ensure that we have a record of what has been deleted.