Your information audit should be centrally controlled by the data protection officer/data protection lead, or the data protection team. They must understand the flow of all data throughout the organisation.

You should organise an information/data audit across your business, or within a particular business areas. One person with in-depth knowledge of your working practices may be able to do this. The audit will identify the personal information/data that you process and how it flows into, through and out of your business. Remember, an information/data flow can include the transfer of information from one location to another, for example, information may stay within your business yet a transfer takes place because a department or other office is located elsewhere (off site).  Having audited your information, you should then be able to identify any risks.

GDPR Legislation

Your business must conduct information gathering exercises, and distribute and process questionnaires, in order understand, and document the personal data within the business, where it is held, and how and who it is processed to.

If you have fewer than 250 employees you only need to keep these records for processing activities that: * are not occasional; * could result in a risk to the rights and freedoms of individuals; or * involve the processing of special categories of data or criminal conviction and offence data. You may be required to make these records available to the ICO on request.

ico. Accountability and governance

GDPR Legislation

Your business should think about why you want to process the data, and consider which lawful basis best fits the circumstances. You might consider that more than one basis applies, in which case you should identify and document all of them from the start.

You must have a valid lawful basis in order to process personal data.

There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.

You must determine your lawful basis before you begin processing, and you should document it.

Your privacy notice should include your lawful basis for processing as well as the purposes of the processing.

Your business must have a valid lawful basis in order to process personal data. There are six available lawful bases for processing. The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data: (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). (d) Vital interests: the processing is necessary to protect someone’s life. (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks).

ico. Lawful basis for processing

GDPR Legislation

Your business must check that consent is the most appropriate lawful basis for processing. Your business must ensure the request for consent is prominent and separate from terms and conditions.

Pre-ticked boxes must not be used for gathering consent, with individuals positively opting in when giving their consent.

Consent is appropriate if your business can offer people real choice and control over how you use their data, and want to build their trust and engagement. Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include: the name of your organisation; the name of any third party controllers who will rely on the consent; why you want the data; what you will do with it; and that individuals can withdraw consent at any time. Records should be kept to include when and how consent was given, in addition to what individuals were told when giving their consent.

ico. Consent

GDPR Legislation

Your business's obligations don’t end when you get consent. You should view consent as a dynamic part of your ongoing relationship of trust with individuals, not a one-off compliance box to tick and file away. To reap the benefits of consent, you need to offer ongoing choice and control.

You will need to refresh them if anything changes – for example, if your processing operations or purposes evolve, the original consent may not be specific or informed enough. If your business relies on parental consent, bear in mind that you may need to refresh consent more regularly as the children grow up and can consent for themselves.

Your business should have a system or process to capture these reviews and record any changes.

Your business should continue to review consent as part of your ongoing relationship with individuals, not a one-off compliance box to tick and file away. Keep consent under review, and refresh it if anything changes. You should have a system or process to capture these reviews and record any changes. If your current consent doesn’t meet the GDPR’s high standards or is poorly documented, you need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing.

The GDPR gives people a specific right to withdraw their consent. You need to ensure that you put proper withdrawal procedures in place. As the right to withdraw is ‘at any time’, it’s not enough to provide an opt-out only by reply. The individual must be able to opt out at any time they choose, on their own initiative. It must also be as easy to withdraw consent as it was to give it. This means the process of withdrawing consent should be an easily accessible one-step process. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.

ico. Managing consent

GDPR Legislation

Systems should be developed and maintained centrally by the data protection officer/data protection lead or the data protection team, to ensure consent for processing personal information for a child is managed continuously. 

Your business must make reasonable efforts (using available technology) to verify that the person giving consent for children holds parental responsibility for the child.

Your business needs to have a lawful basis for processing a child’s personal data. If your business is relying on consent as your lawful basis for processing and are offering online services to children, only a child aged 13 or over will be able to provide their own consent. You will therefore need to make reasonable efforts to verify that anyone giving their own consent is old enough to do so. For children under 13 you need to get consent from whoever holds parental responsibility for the child - unless the online services you offer are for preventive or counselling purposes.

ico. The right to be informed

ico. Children and the GDPR

GDPR Legislation

Your business should consider whether you are likely to rely on the vital basis for processing. The circumstances where it will be relevant must be documented and your business must ensure the reasoning can be justified.

The reasons for relying on the vital basis for processing personal data should be collated and stored centrally by the data protection officer/ lead.

Your business should only rely on vital interests as your lawful basis if you need to process the personal data to protect someone’s life. The processing must be necessary. If you can reasonably protect the person’s vital interests in another less intrusive way, this basis will not apply. Your business cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent. 

ico. Vital interests

GDPR Legislation

When your business is relying on legitimate interests as the lawful basis for processing you have applied the three part test consisting of identifying a legitimate interest; showing that the processing is necessary to achieve it; and balancing it against the individual’s interests, rights and freedoms.

It is likely to rely on legitimate interests for processing personal data where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. If your business chooses to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.

ico. Legitimate interests

GDPR Legislation

Your business must register with and pay a data protection fee to the Information Commissioner's Office, unless your organisation is exempt.

The registration self-assessment found in the support section will help indicate whether your business needs to pay a fee to the ICO.

Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data need to pay a data protection fee to the Information Commissioners Office (ICO), unless they are exempt. For those who do have to register, the new fees are as follows: Tier 1 £40 (£35 paid by direct debit) for micro organisations with a maximum turnover of £632,000 or no more than ten members of staff. Tier 2 £50 for SMEs with a maximum turnover of £36 million or no more than 250 members of staff. Tier 3 £2900 for large organisations who exceed the criteria of Tier 1 and 2. 

ico. Data Protection fee

GDPR Legislation

You must provide privacy information to individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with.

A number of techniques can be used to provide privacy information including a layered approach, dashboard, just-in-time notices, icons and mobile and smart device functionalities.

Your business must have processes in place to review privacy information being distributed to ensure it is kept up-to-date.

Individuals need to know that you are collecting their data, why you are processing it and who you are sharing it with. Your business should publish this privacy information on your website and within any forms or letters you send to individuals. There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.

ico. The right to be informed

GDPR Legislation

Your business must have systems in place to provide privacy information in a way that is easily understood by the child every time personal information is collected.

Your business must have processes in place to review privacy information being distributed to ensure it is kept up-to-date.

Your business must provide children with the same privacy information as you give adults. It is good practice to also explain the risks involved in the processing and the safeguards you have put in place. Any information directed at the child should be concise, clear, and written in plain language so that they are able to understand what will happen to their personal data, and what rights they have. It should be age-appropriate and presented in a way that appeals to a young audience. If children younger than your target age range are likely to try and access any online services you provide then try to explain any age limit to them in language they will understand.

ico. How does the right to be informed apply to children

GDPR Legislation

Your business must develop a process to recognise and respond to subject access requests within one month of receiving the request.

If the request is made electronically, your business should provide the information in a commonly used electronic format.

Individuals have the right to obtain confirmation that your business are processing their data; access to their personal data; and other supplementary information – this largely corresponds to the information that your business should provide in a privacy notice.  Individuals can request information verbally or in writing. Your organisation must provide a copy of the information free of charge. However, your business can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive; or for further copies of the same information (that’s previously been provided). This does not mean that your business can charge for all subsequent access requests.

ico. Right of access

GDPR Legislation

If you receive a request for rectification, your business has processes to ensure reasonable steps are taken to satisfy that the data is accurate and to rectify the data, if necessary, within one calender month.

Your business should implement processes for regularly reviewing the information you process or store, to identify when you need to take action, eg correct inaccurate records. Records management policies, with rules for creating and keeping records (including emails) can help.

The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. Your business has one calender month to respond to a request. 

ico. Right to rectification

GDPR Legislation

Your business has processes established for the secure disposal of personal data that is no longer required. Where an individual has asked for their personal data to be erased, your business has the capability to respond to and action this within one calendar month.

Individuals have the right to be forgotten and can request the erasure of personal data when:  * it is no longer necessary for the purpose you originally collected/ processed it for; * the individual withdraws consent; * you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing; * you are processing the personal data for direct marketing purposes and the individual objects to that processing; * it was unlawfully processed (ie otherwise in breach of the GDPR); * it has to be erased in order to comply with a legal obligation; or * it is processed for information society services to a child.  Individuals can make a request for erasure verbally or in writing.

ico. Right to erasure

GDPR Legislation

Your business should implement processes to recognise valid requests for the restriction of processing an individuals personal data and have appropriate resource available for fulfilling these requests within one calendar month.

Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, your business is permitted to store the personal data, but not use it. An individual can make a request for restriction verbally or in writing. Your business has one calendar month to respond to a request.

ico. Right to restrict processing

GDPR Legislation

Your business must implement processes and assign appropriate resource to allow individuals to move, copy or transfer their personal data from one IT environment to another in a safe and secure way, without hindrance to usability. 

Your business must respond to right to data portability requests within one month of receipt.

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits. This right only applies to information an individual has provided to a controller. Some organisations in the UK already offer data portability through midata and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe.

ico. Right to data portability

GDPR Legislation

Your business must develop a process and assign appropriate resources to recognise and respond to restriction of processing requests within one calendar month.

Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, your business is permitted to store the personal data, but not use it. An individual can make a request for restriction verbally or in writing and your business has one calendar month to respond to the request.

ico. Right to restrict processing

GDPR Legislation

Your organisation must identify whether any of your processing operations constitute automated decision making and complete a data protection impact assessment.

Procedures must be implemented to restrict solely automated decisions being made, including those based on profiling, that have a legal or similarly significant effect on individuals.

Automated individual decision-making is a decision made by automated means without any human involvement. Automated individual decision-making does not have to involve profiling, although it often will. The GDPR restricts your business from making solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals. Because this type of processing is considered to be high-risk the GDPR requires your business to carry out a Data Protection Impact Assessment (DPIA) to show that you have identified and assessed what those risks are and how you will address them.

ico. Automated decision making and profiling

GDPR Legislation

Your business must develop an appropriate data protection policy to show how you comply with the requirements of the GDPR.

The GDPR requires you to show how you comply with the data protection principles.  A policy will help you address data protection in a consistent manner and demonstrate accountability under the GDPR. This can be a standalone policy statement or part of a general staff policy.  The policy should clearly set out your approach to data protection, together with responsibilities for implementing the policy and monitoring compliance.  Management should approve the policy and you should publish and communicate it to all staff. You should review and update the policy at planned intervals or when required to ensure it remains relevant.

GDPR Legislation

Your business should  appoint a DPO or data protection lead who is tasked with monitoring compliance with the GDPR and other data protection laws, your data protection policies, awareness-raising, training, and audits.

Documenting policies alone is often not enough to provide assurances that staff are adhering to the processes they outline.  Your business should ensure that you have a process to monitor compliance with data protection and security policies.  Your business should regularly test measures that are detailed within the policies to provide assurances about their continued effectiveness.  Responsibility for monitoring compliance with the policy should be independent of the people implementing the policy, to allow the monitoring to be unbiased. Staff should report the results of compliance testing on a regular basis to senior management.

GDPR Legislation

Your business must appoint a DPO or data protection lead who is responsible for providing mandatory data protection awareness training to all employees.

Processes must be implemented for tracking completion and escalation paths defined for non-completion of training within agreed timescales.

You should brief all staff handling personal data on their data protection responsibilities. It is good practice to provide awareness training on or shortly after appointment with updates at regular intervals or when required.  You should also consider specialist training for staff with specific duties, such as information security and database management, and marketing.  Regularly communicating key messages is equally important to reinforce training and maintain awareness (for example intranet articles, circulars, team briefings and posters).

GDPR Legislation

Your business must have a written contract in place with any processors or sub-processors used. 

Whenever your businesses uses a processor you need to have a written contract in place, or another legal act must apply. The contract is important so that both parties understand their responsibilities and liabilities. The GDPR sets out what your business needs to include in the contract. Your business is directly liable for overall compliance with the GDPR and for demonstrating that compliance. If you don’t achieve this, then you may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures. Your business must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected. Processors must only act on your documented instructions. They do however have some direct obligations and responsibilities under the GDPR. If they fail to comply they may be liable to pay damages in legal proceedings, or be subject to fines or other penalties or corrective measures. 

ico. Contracts

GDPR Legislation

Your business must have a clear set of security policies and procedures in place to support the risk management regime.

Your business must have processes in place to analyse and log any identified threats, vulnerabilities, and potential impacts which are associated with your business activities and reflected in an information (risk register).

You should set out how you (and any of your data processors) manage information risk. You need to have a senior staff member with responsibility for managing information risks, coordinating the procedures put in place to mitigate them, and for logging and risk assessing information assets. Where you have identified information risks, you should have appropriate action plans in place to mitigate any risks that are not tolerated or terminated.

ico. Security

GDPR Legislation

Your business must implement appropriate policies and procedures to integrate data protection into your processing activities and business practises, from the design stage right through the lifecycle.

Under the GDPR, you have a general obligation to implement appropriate technical and organisational measures to show that you have considered and integrated data protection into your processing activities. This is referred to as data protection by design and by default. You should adopt internal policies and implement measures which help you comply with the data protection principles – this could include data minimisation, pseudonymisation and transparency measures.

ico. Data protection by design and default

GDPR Legislation

Your business must implemented processes to ensure data protection impact assessments (DPIA) are conducted for processing activities that are likely to result in a high risk to individuals.

A Data Protection Impact Assessment (DPIA) is a process to help your business identify and minimise the data protection risks of a project. Your business must do a DPIA for processing that is likely to result in a high risk to individuals. This includes some specified types of processing. 

ico. Data Protection Impact Assessments

GDPR Legislation

Your business must review existing risk management and project management processes, and ensure there is consistency with the DPIA processes you have implemented.

A DPIA can address multiple processing operations that are similar in terms of the risks, provided adequate consideration is given to the specific nature, scope, context and purposes of the processing. You should start to assess the situations where it will be necessary to conduct one: * Who will do it? * Who else needs to be involved? * Will the process be run centrally or locally? If the processing is wholly or partly performed by a processor, then that processor must assist you in carrying out the DPIA. It may also be appropriate to seek the views of data subjects in certain circumstances.

ico. Data Protection Impact Assessments

GDPR Legislation

Your business must nominate a Data Protection Officer (DPO) if you are a 'public authority or body', or if you carry out certain types of processing activities.

You should appoint a DPO if your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking), or your core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.

The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a 'public authority or body', or if you carry out certain types of processing activities. DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a point of contact for data subjects and the supervisory authority. The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level. A DPO can be an existing employee or externally appointed. In some cases several organisations can appoint a single DPO between them. DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.

ico. Data protection officers

GDPR Legislation

Support for data protection legislation should come from top level management and be promoted throughout the organisation.

You should make sure that decision makers and key people in your business are aware of the requirements under the GDPR. Decision makers and key people should lead by example, demonstrating accountability for compliance with the GDPR and promoting a positive culture, within your business, for data protection. They should take the lead when assessing any impacts to your business and encourage a privacy by design approach. They should help to drive awareness amongst all staff regarding the importance of exercising good data protection practises.

ico. Data protection culture

GDPR Legislation

Your business must develop an information security policy (or equivalent) and take steps to make sure the policy is implemented.

Your business must regularly review the information security policies and measures, and where necessary, improve them.

Keeping your IT systems safe and secure can be a complex task and does require time, resource and (potentially) specialist expertise. If your business is processing personal data within your IT system(s) you need to recognise the risks involved and take appropriate technical and organisational measures to secure the data. A good starting point is to establish and implement a robust Information Security policy which details your approach to information security, the technical and organisational measures that you will be implementing, and the roles and responsibilities staff have in relation to keeping information secure.

You should process personal data in a manner that ensures appropriate security. Before you can decide what level of security is right for you, you need to assess the risks to the personal data you hold and choose security measures that are appropriate to your needs. Keeping your IT systems safe and secure can be a complex task and does require time, resource and (potentially) specialist expertise. If you are processing personal data within your IT system(s) you need to recognise the risks involved and take appropriate technical, and organisational measures to secure the data. The measures you put in place should fit your business’s needs. They don’t necessarily have to be expensive or onerous. They may even be free or already available within the IT systems you currently have. A good starting point is to establish and implement a robust Information Security policy which details your approach to information security, the technical and organisational measures that you will be implementing, and the roles and responsibilities staff have in relation to keeping information secure.

ico. Information Security

GDPR Legislation

Your business must implement processes to identify, report, manage and resolve any personal data breaches.

Your business must establish clear processes to ensure certain types of personal data breaches are reported within 72 hours to the relevant supervisory authority.

The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. Your business must do this within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay. Your business should ensure you have robust breach detection, investigation and internal reporting procedures in place. This will facilitate decision-making about whether or not you need to notify the relevant supervisory authority and the affected individuals. Your business must also keep a record of any personal data breaches, regardless of whether you are required to notify.

ico. Personal data breaches

GDPR Legislation

Your business must implement processes to ensure an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Economic Area.

Processes should be regularly reviewed and monitored.

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.  You may only transfer personal data outside of the EU if you comply with the conditions for transfer set out in Chapter V of the GDPR.

The GDPR primarily applies to controllers and processors located in the European Economic Area (EEA) with some exceptions. Individuals risk losing the protection of the GDPR if their personal data is transferred outside of the EEA. On that basis, the GDPR restricts transfers of personal data outside the EEA, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies. A transfer of personal data outside the protection of the GDPR (which we refer to as a ‘restricted transfer’), most often involves a transfer from inside the EEA to a country outside the EEA.

ico. International transfers

GDPR Legislation