GDPR

GDPR Principles:

What is the GDPR?

It stands for the ‘General Data Protection Regulation’ and relates to personal data (only). It’s a regulation of the European Union that regulates the use of personal information. It comes into force on Friday 25.05.18 (regardless of what happens with Brexit). It’s very similar to the Data Protection Act (1998) in many ways but replaces it. The principles are similar to those set out in the current legislation but are strengthened with an emphasis on the legal basis for data processing, with more duty to record and additional rights with more transparency/information for individuals.

What are the principles of the GDPR?

Personal data must:

1. Be processed fairly, legally and thoroughly
2. Be collected for specific, clear and valid purposes
3. Be adequate, relevant and necessary
4. Be accurate and where necessary, be up-to-date
5. Be kept in an identifiable form for no longer than needed
6. Be processed safely

What are the rights of the individual under the GDPR? You need to tell the data subject about their rights when you collect their personal information.  So, the right:

1. To be informed (about their rights and the fact that their data is being processed)
2. Of access (i.e. Subject Access - 30 days to comply, you can’t charge a fee and you must keep a register of applications)
3. To rectification
4. To erasure
5. To restrict processing
6. To data portability (i.e. to move their data from one organisation to another)
7. To oppose
8. In relation to automated decision making

What is the legal basis for data processing?

A legal basis must apply to any personal data processing. Here are the 6 bases possible:

1. Consent/permission from the data subject to do so
2. Agreement – in relation to agreement/order/service provision
3. For the benefit of the public (e.g. CCTV in a public space)
4. In the data subject/individual’s vital interest
5. In our legal interest to collect (legitimate interests)
6. Legal obligation to collect

Action points for cylchoedd between now and Friday 25.05.18:

• Visit the intranet to see answers to practical questions on the GDPR and further information https://intranet.meithrin.co.uk/the-gdpr/
• Discuss the contents as a cylch at a management committee meeting
• Record the decision to appoint a Data Protection Officer or not
• Include Data Protection on the agenda of all future committee meetings
• Carry out an audit and clean up/remove old data
• Check the intranet regularly to see the latest information/documentation from the Mudiad on the subject