Self-assessment tool

The starting point for GDPR compliance is knowing what personal data your business holds and why. The GDPR requires that all data controllers (the collective term for a business or organisation) must be able to identify all types of personal data they process, where this data is stored and its significance for the business itself. This applies regardless of whether the personal data in question is stored digitally or in hardcopy format.

Good data management is necessary in order for a data controller to be able to accurately identify and locate relevant personal data in IT systems or in hardcopy storage, and be able to demonstrate this capacity to data protection authorities should the need arise.

Knowing your data and being in compliance with the GDPR contributes to a positive business reputation and increases effiencies for data controllers.

Data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic and biometric data are considered special category data, for which the GDPR provides strict and detailed processing rules.

Processing this type of data can be considered to pose a higher risk to the rights and freedoms of individuals and, for this reason, processing special category data should be avoided where possible.

If this is not possible to avoide processing special category data (for example, a hospital cannot refrain from processing health data) data controllers may only proceed to process the information according to one of the legal basis provided for under Article 6 of the GDPR and the if they are covered by an exemption under Article 9(2) of the GDPR.

Processing special category data requires a higher degree of security, including organisational and technical measures to mitigate the risk of a data breach. This includes educating employees on the importance of personal data protection, and ensuring that there are proper policies in place to control who in your organisation can access and process the information.

Personal data must be collected for specific, explicit and legitimate purposes and may not be further processed in a manner inconsistent with those purposes. (there is an exception in terms of further processing for archiving purposes in the public interest, for the purposes of scientific or historical research or for statistical purposes which is considered to be in line with the original purposes).

The purpose for which personal data are processed must be explicitly stated at the time of data collection. Therefore, the purpose must be defined before processing, and that purpose must be sufficiently clear and specific to increase transparency and ensure legal certainty, and this data must be necessary and relevant for these purposes, and the data should be processed only if the purpose cannot be achieved by another means.

Data minimisation is important here. Collect only the least amount of personal information necessary to provide the service, and keep it only for the minimum amount of time necessary. The more data an organisation holds, the greater its risk of incurring a breach. Data minimisation helps reduce that risk to business.

Every business and organisation is obliged to make clear – at the point of collection – what personal data it is collecting, why it is collecting the data, how long it will retain the data and any further processing that will occur (such as transfer to a third party). This transparency obligation applies regardless of whther the  data belongs to services users or employees. Articles 13 and 14 of the GDPR prescribe the information that must be provided to individuals.

The information provided must be explained in clear and simple language. If it is about the processing of children's data, then it is necessary to further adapt this information to the age and understanding of the child. These individuals must be clear about the ways in which you will process their data, the risks that may arise from the processing, and the safeguards you have taken to mitigate those risks.

As a general rule, data may only be processed for the purposes for which it was originally collected. These purposes will have been made clear to the individual in accordance with the transparancy requirements laid out in question 4, above.  

In some instances, it may be possible for an orgaisation to rely on Legitmate Interest as a legal basis to carry out further processing. Legitimate interest, as a legal basis, can be appropriate where an organisation is using people’s data in ways they would reasonably expect and which will have a minimal privacy impact, or where there is a compelling justification for the processing.

Where a data controller choses to rely on legitimate interests, they are taking on extra responsibility for considering and protecting people’s rights and interests.

There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. Organisations must:

• • identify a legitimate interest;
  • show that the processing is necessary to achieve it; and
  • balance it against the individual’s interests, rights and freedoms.

Organisations must balance their interests against the individual’s. If the individual would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override the organisations legitimate interests.

Keep a record of the legitimate interests assessment (LIA) to help demonstrate compliance if required.

Where the personal data is obtained directly from the individual for whom you will be providing the service, the necessary transparency and accountability obligations that have been outlined in the preceding questions must be adhered to, including the minimisation of the data collected and transparency with the individual about the nature of the processing and the length of time their personal information will be stored. While the data is under your organisation’s control, you are responsible for its security and ultimately, its secure deletion when the data has ceased to be necessary.

Where you have obtained personal data from a third party (e.g. to provide payroll services to another organisation) can you verify that the personal data you are being asked to process has been sourced legitimately? Where one organisation is providing a service that necessitates it to process personal data on behalf of another organisation, they should ensure that a Data Processing Agreement (see question XX) exists between them to formally document the nature and limits of the processing, for everyone’s mutual assurance and compliance.

When it comes to marketing, organisations should be especially wary about the source of any email or phone lists that are offered for sale to increase customer reach. These lists may have non-compliant origins and have possibly been shared without the individual’s knowledge.

When processing data in your organisation, whether it is customer data, client, patient, etc., it is important that the data you process is appropriate, relevant and limited to what is necessary in relation to the purposes for which they are processed, to avoid excessive data processing. Keep data processing – which includes collection – to the minimum necessary to provide the service. Do not hold onto the information for any longer than is necessary.

The processing of personal data must be secure and organisations are obliged to assess the risks attached to their processing activities and procedures in order to reduce the possibility of accidental or unauthorized loss, use, alteration, disclosure or access to the data.

To minimize potential risks, appropriate technical measures should be put in place for all data that an organisation holds (electronic and hard copy). Technical measures can include pseudonymisation (using numbers or codes instead of names to record data), encryption, and the use of strong passwords on technical equipment. These measures need to be supported by wider organisational security measures such as employee education, confidentiality statements, clear allocation of responsibilities, protection of access to the data and access authorization checks).

A data protection officer, if designated, can assist the organisation in all these processes. It is important to note, however, that accountability rests with the data controller.

Despite technical security measures and/or the presence of a data protection officer, a large number of breaches still occur which can be directly attributed to human error. Data protection is everybody’s responsibility, and therefore all staff need to be aware and educated when it comes to data protection in their daily work.

Policies should be put in place – and regularly reviewed – to ensure cross-organisation compliance with obligations of confidentiality, security, and data sharing. These policies should be communicated to staff regularly, so that data protection compliance becomes the default culture in your organisation.

Also important to remember is the fact that employees are individuals too – with their own data protection rights. The protections that are in place for customer data should be matched by those in place for employee data, to ensure that there is no unauthorised access to records.

One of the fundamental principles of the GDPR is the principle of storage limitation, which stipulates that personal data must be deleted or anonymised as soon as they are no longer needed for the purposes for which they were collected.

Therefore it is vitally important to know if there is other legislation that applies to your area of business, because the issue of storage is often determined by law. Examples here would include things like medical and dental records, which have their own rules governing their retention. For areas of work that don’t have minimum retention periods set out for them, e.g. hairdressers, the rule of thumb remains that data be retained for no longer than it is necessary to carry out the function for which it was obtained

There is an exception when data can be stored for a longer period of time, in terms of archiving for public interest, for scientific, historical purposes, statistical purposes, provided that appropriate technical and organisational protection measures are taken.

Also, it is important to note that the storage time limit only applies to data that allows identification. Where data has been fully anonymized, it no longer constitutes personal data since it can no longer be used to identify an individual.

Data that is no longer necessary for the purposes for which it was collected – and which does not have specific retention rules like medical records etc. – must be deleted or anonymized as soon as possible. It may be helpful to schedule an annual review of current : past customers and employees in this regard, so that you can demonstrate and document your compliance should the need arise.

Where records are identified for erasure, the data must be deleted in its entirety, irrevocably and including all backups, and in the case that the data is legally transferred to a third party, it is necessary to ensure that the third party deletes the data.

The data you process must be accurate and up-to-date.

For this purpose, it is advisable to check the data regularly to ensure accuracy. This is important because of the damage that an individual may suffer if an organisation processes inaccurate data. For example if a bank has outdated data in its database, an individual may suffer negative consequences when applying for a loan. Equally, businesses may incur delays with payments for goods or services provided, if the information they have on record is out of date. Keeping records accurate and up-to-date is not just an obligation, it is of benefit to all.

Data often needs to be updated. This can be as simple as an individual moving house, to changes in their domestic or financial situations. Where these changes arise, it is important that business be able to update their records as quickly and efficiently as possible, to minimise inconvenience to all parties.

Under the terms of the right to rectification – as it is provided for in the GDPR – a request to update personal data must be responded to without delay, and no later than 30 days. The preceding questions have outlined the type of organisational practices and measures – including knowing what data you hold and where it is recorded – that make it possible for an organisation to comply effectively and efficiently with this type of request. Where the same record is held in more than one location (e.g accounts and HR) the personal data must be updated in all locations.

Processing of personal data must be transparent to your customers/clients.

They have the right to be informed of the rights guaranteed to the individual by the General Data Protection Regulation, namely the right to information, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, the right to object and the right not to be subject to decisions based solely on automated processing.

The individual must also be informed about their entitlement to raise a complaint with their data protection authority, where they feel that their rights in this regard have been infringed.

All of this information must be provided at the point at which the data is being collected. You may refer the individual to your privacy policy, which should outline all of this information for them.

All notices must be provided in clear and simple language, and in the case of notices intended for children, they must be adapted to the age and understanding of the child.

Access to personal data is one of the strongest rights afforded to individuals by the GDPR. As a general rule, individuals must be provided with a complete copy of their personal data when requested, within one month of making the request. Organisations should have procedures in place to ensure that employees recognise access requests when they receive them and know how to escalate the request up through the proper internal channels. Failure to properly comply with access requests gives rise to the vast majority of individual complaint cases to data protection authorities each year.

Closely related to the right of access is the right to rectification. Where an individual finds that there is an inaccuracy in their data, they may request that this be corrected. Generally, this request must be complied with unless there are legitimate reasons not to (amendments to criminal records, for example, may need sanction from the courts as well as a request from the individual). In the case of general corrections, the business must ensure that staff are kept continuously aware of the procedures for recognising and escalating requests for rectification.  

Customers are entitled to request a copy of their personal data in portable format, even if their intention is to move their custom to one of your competitors. Organisations are obliged to comply with a portability request. Staff you be made aware of how to recognise and escalate these requests through the appropriate internal channels, to ensure the request is complied with in a timely manner.

Even without raising a complaint with the data protection authority, an individual is fully entitled to engage with your organisation on their own behalf. The vast majority of data protection complaints can be resolved effectively and expeditiously in this way. Procedures should be in place within your organisation to ensure that customers can contact you (or your designated data protection official) quickly and easily. Transparency and good communication with customers is vital to deescalating issues of this nature, before they become more serious.

An individual has the right to object to a decision based solely on automated processing, including profiling, which has consequences for their life. Examples of this type of processing can include loan applications where approvals are generated based on algorithms.

Individuals have the right to understand the reasons behind the decisions made about them by automated processing and their possible consequences, and to oppose profiling in certain situations (for example, direct marketing).

If your organisation relies on automated processing, this should be clearly communicated to customers in the first instance. Processes should also be put in place to record and respond to objections from individuals against said processing.

Exemptions to the right to object apply only in instances where the decision is necessary for the conclusion of a contract between an individual and an organisation, is permitted by legal regulation or based on the explicit consent of the individual.

All of the rights at apply to your customers as individuals also extend to your employees too.

Therefore employees should be fully informed as to the type(s) of data you hold on them, how it is secured, who has access to it and whether it will be transferred to a third party (e.g. for the purpose of collecting state taxes).

Transparency obligations also apply, and so this information must be made available to employees in an easily accessible and comprehensible format.

Employers are obliged by data protection legislation to be transparent with their staff about staff rights as individuals under the GDPR. Information about their individual rights – as well as the nature and extent of the data you process about them – should be available to staff.

Policies should be checked regularly to ensure that they are in compliance with the law, and staff records should be audited regularly to ensure that the information contained therein is accurate and up-to-date. 

The laws governing data protection and employer obligations may be subject to modifications over time. Policy documents should be kept under regular review to ensure that they continue to meet compliance requirements. Changes to legislation may require you to update or amend your previous policies and procedures, to ensure that individual’s data protection rights are being upheld.

Similarly, the act of operationalising your policies and procedures may expose gaps that haven’t been allowed for. Policies should therefore be revised to mitigate these gaps, so that the business is not exposed to the risk of systemic failure.

Encryption technologies may be useful to consider if your business processes data in volume, of if the business processes special category data. Encryption technologies provide an additional layer of security at source and help reduce the risk of exposure to your organisation in the event that you suffer a breach (e.g. through theft or human error).

Appropriate safeguards must be in place for the protection of employee data, including restricting access to the data to authorised persons only. This is particularly important in smaller enterprises where there is likely to be a high degree of familiarity between co-workers. Data access should be restricted to those persons who have a legitimate reason to engage with the information (e.g. HR) and should not be stored or discussed in a space that is generally accessed by all staff (e.g. the canteen). Employee records – regardless of whether they are stored digitally or in hard-copy) should be kept secure, accurate and up-to-date.

The business or organisation, in their capacity as data controller, is ultimately accountable for the organisation’s overall compliance with the requirements of the GDPR.

Within the organisation, there may be designated staff whose job it is to support the organisation in its compliance efforts, such as a DPO, compliance officer or team leader. Where a data controller relies on specific staff to drive compliance for the wider organisation, it should naturally ensure that those staff are given the training and resources necessary to carry out that task. Data Protection Officers have specific protections under the GDPR that inform their role within the business structure.

Regardless of whether there are support-staff in place or not, data protection compliance should be viewed as the responsibility of all employees. Staff should be made aware – and regularly reminded – of the importance of data protection to their daily work, as well as any workplace policies that deal with data protection.

Every data processing activity that your business or organisation carries out must be able to point to the legal basis (or bases) that you rely on to justify the processing. Article 6 of the GDPR specifies six legal bases for the processing of personal data, at least one of which must apply to your processing activity in order for it to be lawful. No single basis is ‘better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual. The six legal bases for processing are:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data under Article 9 of the GDPR.

Important: Most lawful bases require that processing is ‘necessary’ for a specific purpose. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.

Consent, as a legal basis for processing, must meet quite a high threshold to satisfy the requirements of the GDPR. To qualify as a legal basis, consent must be:

• Freely given
• Fully informed
• Specific

There must be a clear indication of the data subject's wishes - either a statement or a clear affirmative action (e.g. ticking a box) - signifying the individual’s agreement to the processing of their personal data.

The individual must be fully informed, in comprehensible terms, of the purpose(s) for which their data will be processed and any consent the individual gives will therefore only apply to the specific purposes that have been outlined to them. The individual must also be made aware that they are fully entitled to withdraw their consent at any point.

The onus is on the business or organisation to be able to demonstrate that it has obtained valid consent for its processing activities, and to be able to demonstrate this to the data protection authorities if necessary.

Under the terms of the GDPR, individuals are fully entitled to withdraw their consent to processing. Withdrawing consent should not be any more difficult for the individual than providing said consent was in the first instance.

An individual should be able to withdraw their consent without harmful consequences or undue effort, which generally means free of charge and without negatively affecting the quality of service.

Legitimate interest is a more flexible form of legal basis and may be most appropriate where using an individual’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

By relying on legitimate interests, the business or organisation assumes the extra responsibility of considering and protecting people’s rights and interests.

Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority.

There are three elements to the legitimate interests basis:

1. identify a legitimate interest;
2. show that the processing is necessary to achieve it; and
3. balance it against the individual’s interests, rights and freedoms.

The legitimate interests can be those of your own business or organisation, or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

The legitimate interests of the business must be balanced against the individual’s fundamental rights. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.

Record your legitimate interests assessment (LIA) to demonstrate compliance if required.

Include details of your legitimate interests in your privacy information.

You must balance your interests against the individual’s interests. In particular, if they would not reasonably expect you to use data in that way, or it would cause them unwarranted harm, their interests are likely to override yours. However, your interests do not always have to align with the individual’s interests. If there is a conflict, your interests can still prevail as long as there is a clear justification for the impact on the individual.

You should avoid using legitimate interests if you are using personal data in ways people do not understand and would not reasonably expect, or if you think some people would object if you explained it to them. You must tell people in your privacy information that you are relying on legitimate interests, and explain what these interests are.

Transferring personal data is a very common part of modern business, and is often vital to ensure that services are delivered efficiently and effectively. The GDPR places certain obligations on businesses where data is shared. The company must inform individuals that it will be sharing their data with a third party and the purposes for which the data is being shared, as well as the security, access and retention measures that will apply to ensure the safety of the data.

On an operational level, if it is the case that you need to regularly share data with a third party to carry out processing activities on your behalf, you may need to consider putting a data processing agreement in place to clearly call out the nature and scale of the processing and areas of responsibility.

As with all processing activities, transferring personal data must be underpinned by a legal basis (see question 28). A business or organisation must be able to point to the legal basis it is relying on to transfer the data, and demonstrate this to the data protection authorities if requested to do so.

The business must also be able to demonstrate how it has met its accountability obligations, in terms of transparency with the individual and making sure they have access to the information about where their data is being moved to and why.

Transparency with individuals is one of the key principles – and obligations – of the GDPR. An organisation can never be too transparent with people about the processing their personal data will go through. The more transparency and awareness that exists between the individual and the data controller, the greater the trust and expectation of compliance. Customers and staff want to feel that their information is safe with you, and fully informed transparency is becoming more and more central to a good business reputation.

Some organisations are obliged to appoint a data protection officer (DPO), depending on the scale or type of type of data they process.

A DPO must be appointed in cases where:

In situations where a data controller is not required by the terms of the GDPR to appoint a DPO they may still find it beneficial to appoint one anyway, to act as a critical friend to the organisation and provide inputs into project planning and business operations. 

Compliance with data protection law and the principles of the GDPR remains a requirement for all data controllers, regardless of whether they meet are legally obliged to appoint a DPO.

The data protection officers are required to possess the necessary professional qualities, including knowledge of data protection law and a thorough understanding of the core processing activities of their organisation. The tasks of the DPO are set out in Article 39.

The data protection officer may be a staff member or an externally contracted service provider.

The details of the data protection officer must be published where your customers can easily find them (e.g. your website) and formally notified to your data protection authority.

You must ensure that the data protection officer involved in all matters of personal data protection, regardless of whether the processing relates to staff or service users. Ways to incorporate the DPO into your business structure include:

• The DPO should regularly attend meetings of senior and middle management.
• They DPO should be provided with all relevant information necessary to do their job, and given sufficient time to assess the information and offer any advice.
• The DPO’s advice should be taken into account. If there are disagreements arising out of this advice, you should always document why you did not act on the advice of the DPO.
• Consult the DPO immediately if a data breach or other incident occurs.

A personal data breach refers to a breach of security due to the loss, alteration, unauthorized disclosure or access to data, or unlawful destruction.

In order to reduce the possibility of breaches occurring, technical and organisational measures should be put in place to increase data security. Examples of technical measures include firewalls on computer-based systems, pseudonymisation and encryption. Organisational measures might include staff training and robust internal procedures.

Breaches are important because they can lead to identity theft, fraud, financial loss/material damage individuals, which, in turn, is damaging to the business reputation of an organisation.

If your business or organisation suffers a breach, you must notify their data protection authority without delay, and no later than 72 hours after discovering the breach. Any delays in notifying the authorities of the breach will need to be explained and may result in penalties for your organisation.

If you are processing data on behalf of another organisation or business and incur a breach, you must notify the organisation or business of the fact without delay. The organisation or business – as the data controller – will then notify the data protection authority.

It may be the case that a breach does not need to be reported to the data protection authorities if you can prove that the breach does not pose a risk to the rights and freedoms of individuals. For example, if one of the technical security measures your organisation put in place was the anonymisation of data, and the data therefore cannot be used to identify an individual or group of individuals, then you have mitigated the potential harm.

If the breach is likely to pose a risk to the rights and freedoms of the individual then it is necessary to inform the individuals as well as the data protection authorities.

Any personal data breach that your organisation incurs – regardless of whether it meets the threshold for obligatory notification to the data protection authorities – should be recorded in your company records. This will enable you to track patterns and identify areas of repeated or systemic risk.

Repeated infractions may indicate that there is an ongoing problem being left unresolved, which increases your organisations exposure to risk.

A record of your processing activities is the essential first step in any organisation’s compliance efforts. You must know what data you hold and know the uses you put that data to.

Keeping records of processing activities is not mandatory if your organization employs less than 250 employees, however, regardless of the number of employees, you are required to keep records of processing if:

• the processing is likely to pose a high risk to the rights and freedoms of individuals (for example: introduction of new technologies such as biometric readers, face recognition, IT services that process personal data) or
• the processing is not occasional (a once off) Examples include processing for the purpose of payment of salaries etc., which is continuous, or
• the processing includes special categories of data (for example: health data processed by the hospital, biometric data, genetic data) or
• the processing includes personal data relating to criminal convictions and criminal offences.

Processing records must be written down. Article 30 of the GDPR sets out the information that should be included in the records. The processing records themselves should be appropriately stored and secured.

Processing records do not need to be forwarded to your data protection authority, but they must be available for inspection if requested.

Your company, as the controller, may entrust another company, as the processor, to carry out certain processing of personal data on your behalf.

The most important difference between the controller and the processor is that the controller makes the decisions about the purposes and methods of processing, and the processor processes this data on behalf of the controller following strict instructions.

The activities entrusted to the processor may relate to a specific task, or may apply to a broad range of tasks.

A contract – specifically a data processing agreement (DPA) –  should be in place between the data controller and the processor. The elements of a DPA are set out in Article 28 paragraph (3) of the GDPR.

Accountability lies with the controller, who may use processor services only when they have satisfied themselves that the processor will apply appropriate technical and organisational measures when carrying out the work. This should all be detailed in the data processing agreement. However, the processor becomes liable in the event that the processor does not follow the instructions of the controller.

Data Processing Agreements (DPAs) formally record the data that will be shared between controllers and processors; specify the exact purposes for which data will be used and also records all the technical and organisational safety measures that the controller requires of the processor. Article 28 paragraph (3) of the GDPR sets out the type of information that should be contained in the data processing agreement.

The data controller is responsible for ensuring that the processor it engages meets the appropriate level of compliance, and that it has provided the processor with detailed instructions as to the exact work the processor must undertake on its behalf. Where an infraction occurs because the processor did not follow the instructions given to it by the data controller, the processor becomes liable.

If your organization has an official website, then you can use it as the first point-of-call for customers wishing to find out about your privacy policies and details of your Data Protection Officer. This information should be made plainly visible and easily accessible.

If your website uses Cookies – particularly for the purpose of generating analytical information which may be used to target customers later – this must be made absolutely clear to users from the very first point of access to the site and users must be given the opportunity to easily opt-out of Cookies without any reduction in the quality of service they receive.

If you outsource the running of your website to another company or web developer, the responsibility for ensuring that the website is compliant remains with you. Accountability cannot be outsourced. Engage regularly with your website manager to ensure that unnecessary records are not being created when customers use your website. Always ask what data is being collected – through Cookies or other means – why it is being collected, how it is being stored/erased and who has access to it.

A cookie is a small text file that may be stored on your computer or mobile device that contains data related to a website you visit. In some cased, cookies may be used to gather and store information about the user. This may be helpful to the user (e.g. the user may decide to save their payment details for a website they buy from regularly) or potentially harmful to the individual (e.g. the website records and shares information about the individual’s purchases with other companies, without the individual’s consent).

Users should be informed if your website is using cookies, what purposes the cookies are being used for and given the option to easily opt-out. Opting out should not result in a reduction in the quality of service the customer receives. Many websites now use a layered system for cookie consent, giving users the option to select ‘on’ or ‘off’ to different purposes (e.g. customers might opt-in to essential, functional cookies but opt-out of marketing cookies).

In order to utilise cookies (or any similar technologies) on a website, user consent is normally required (as set out in Regulation 5(3) of the ePrivacy Regulations). Under the General Data Protection Regulation (GDPR), consent must be a clear, affirmative act, freely given, specific, informed, and unambiguous.

Consent is not needed where the cookie or other technology is strictly necessary to provide a service which has been explicitly requested by the user, e.g. cookies which may be needed to provide the user with a functioning website which they want to access (see Regulation 5(5) of the ePrivacy Regulations for more information).

Users must be provided with easily accessible, ‘clear and comprehensive’ information on:

• The technology used by the website to collect personal data; and
• The purpose for which the collected data will be used.

Websites have become the new ‘shop floor’ for many businesses and organisations. A significant and growing amount of commerce is conducted online. Websites must be taken seriously by companies, especially when it comes to transparency with customers. Data protection policies, cookie notices and any other information that you need to share with customers about their data protection rights should be easily visible on your website. The information should be reviewed regularly to ensure that your published policies are always in line with your actual operational practices.

Closed circuit video systems (CCTV) are commonly used by many businesses and organisations. Where video surveillance is in operation, you must post clearly visible notices indicating this to both staff and customers. Your CCTV policy must clearly indicate the specific purpose for which you are recording the footage (e.g. security), who will have access to the footage and how long it will be retained. As the cameras may capture people’s faces – which is personal data since it identifies an individual – the policy must also inform people that they are entitled to make an access request for copy of their data, and how to may make that request to your business or organisation.

CCTV use needs to be considered in terms of proportionality. Think about whether all cameras need to be switched on all the time. Be mindful of staff rights as individuals when placing cameras – could the location of some cameras constitute disproportionate or invasive surveillance for them? Give serious consideration who in your organisation or business should be authorised to access the footage, and ensure appropriate security measures are in place to avoid abuses.

Your CCTV policy must state the purpose for which you are using video surveillance. For example, if your business or organisation has identified and published ‘security’ as the reason for the cameras, then that is the only purpose for which it may be used.

Use of video surveillance must be notified publicly. Such notices must identify the data controller, so that individuals can make contact with them if they need to make an access request. CCTV footage has the potential to record significant amounts of personal data, and can potentially constitute large-scale processing. You must ensure that you have adequate security and procedures in place to minimise the risk to the rights and freedoms of individuals. Make sure that footage is secured, accessed only by authorised individuals and that it is securely deleted as soon as it is no longer needed.

If you employ a contractor – such as a security firm – to operate CCTV on your behalf, the responsibility is still on you to ensure that they are operating the system compliantly and in strict accordance with your instructions. A data processing agreement may be necessary to detail this properly.

All processing of personal data – including video surveillance – must have a legal basis under the GDPR, otherwise it is unlawful. For example ‘security’ is not a legal basis, it is a purpose. To operate CCTV, the data controller needs to identify which of the six legal basis – under Article 6 of the GDPR – it relies on to underpin the processing. If the legal basis is Legitimate Interest, the data controller needs to be able to demonstrate – by producing records – that they have given proper consideration to the balance of their legitimate interest against the rights and freedoms of the individual, as discussed in question 30.

Individuals – including staff – are entitled to make an access request for a copy of their personal data if they have been recorded by your video surveillance systems. Information about the contact point or person must be clearly available to them, so that they can access this right. This is very important.

When responding to an access request for CCTV footage, it is important to keep in mind that individuals are entitled to a copy of their personal data – and only their personal data. Images of third parties should, generally, be blurred out or removed unless there is very good reason not to, or the third part gives their clear consent.

Direct marketing (e.g. information about sales, promotions etc.) is covered by very strict rules. Information that is provided to you for one purpose (e.g. an email address to secure a booking) should not then be used for marketing emails unless the individual has given their clear and informed consent.

When generating mailing lists, the customer should be invited to ‘opt-in’ for marketing purposes (e.g. tick a box). Boxes should not be pre-ticked, putting the onus on the individual to opt-out. Even if they tick-the box, the individual retains the right to object and opt-out at any time, free of charge. Generally, all direct marketing contacts should give the individual a way to opt-out of direct marketing, every time they receive one.

As with all processing activities, a valid legal basis must be in place to justify the processing. If consent is being used for direct marketing, it must be valid consent and up-to-date (the individual hasn’t exercised their right to opt-out). If legitimate interest is being used, the data controller must be able to demonstrate – through documentation – how they have balanced their legitimate interests against the individual’s rights, and why the processing is necessary (as outlined in question 30).

The individual must be given information to allow them to withdraw their consent (if the processing is based on consent) or object (if the processing is based on your legitimate interest). This information should be contained in every piece of direct marketing they receive from you (e.g. some electronic direct marketing will include a link to ‘unsubscribe’ at the end).

It must be made as easy for the individual to withdraw their consent as it was to give it in the first place, and they should not experience any harmful consequences as a result. Opting out should be free of charge and have no negative impact on the quality of service.

Processing personal data for direct marketing purposes after consent has been withdrawn is unlawful. You must ensure that your systems and procedures are set up to reflect opt-out requests as soon as possible. Failure to comply with an individual’s wishes after they have been indicated to the business or organisation gives rise to significant numbers of complaints – and prosecutions – for data protection authorities.

A DPIA is a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan.

Data protection impact assessments are mandatory the following cases:

• systematic and extensive processing of personal data which is based on automated processing, including profiling, and on which decisions are based that produce legal effects or other significantly consequences for the individual;
• extensive, large-scale processing of special categories of data (as set out in Article 9(1), or personal data relating to criminal convictions and offences (set out in Article 10 of the GDPR); or
• systematic monitoring of a publicly accessible area on a large scale.

DPIAs can cover a single processing operation, or a group of similar processing operations. A DPIA does not have to eradicate all risk, but should help you minimise and determine whether or not the level of risk is acceptable in the circumstances, taking into account the benefits of what you want to achieve. If, after conducting your DPIA, you find that the potential risks to the rights and freedoms of the individual are too high, you should either change the scope of your project or engage with your data protection authority.

Question 53 sets out the type of activity that must be underpinned by a DPIA. However, all projects would benefit from some form of DPIA. DPIAs are designed to be a flexible and scalable tool that you can apply to a wide range of sectors and projects. Conducting a DPIA does not have to be complex or time-consuming in every case, but there must be a level of rigour in proportion to the privacy risks arising.

In general, consistent use of DPIAs increases awareness of privacy and data protection issues within your organisation. It also ensures that all relevant staff involved in designing projects think about privacy at the early stages and adopt a ‘data protection by design’ approach.

There is no definitive DPIA template that you must follow, though most data protection authorities have templates available. You may prefer to develop your own template to suit your particular needs.

For new projects, DPIAs are a vital part of data protection by design. They build in data protection compliance at an early stage, when there is most scope for influencing how the proposal is developed and implemented. DPIAs are also relevant if you are planning to make changes to an existing system. In this case you must ensure that you do the DPIA at a point when there is a realistic opportunity to influence those plans.

A DPIA is a ‘living’ process to help you manage and review the risks of the processing and the measures you’ve put in place on an ongoing basis. You need to keep it under review and reassess if anything changes. Being able to demonstrate that your organisation has thought about risks, worked to mitigate them and is keeping the matter under regular review is an important part of being compliant with the GDPR.