Personal data is defined as any information relating to a person who can be identified directly or indirectly. This includes online identifiers, such as IP addresses and cookies, if they are capable of being linked back to the data subject. Indirect information might include physical, physiological, genetic, mental, economic, cultural or social identities that can be linked back to a specific individual. There is no distinction between personal data about an individual in their private, public or work roles – all are covered by this regulation.
Organisations such as National Food Service Bristol, will be required to “implement appropriate technical and organisational measures” in relation to the nature, scope, context and purposes of their handling and processing of personal data. Data protection safeguards must be designed into products and services from the earliest stages of development. These safeguards must be appropriate to the degree of risk associated with the data held and might include:
- Pseudonymisation and/or encryption of personal data – this is done through our vendor database provider.
- Ensuring the ongoing confidentiality, integrity, availability and resilience of systems
- Restoring the availability of, and access to, data in a timely manner following a physical or technical incident
- Introducing a process for regularly testing, assessing and evaluating the effectiveness of these systems.
A key part of the regulation requires consent to be given by the individual whose data is held. Consent means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. Organisations will need to be able to show how and when consent was obtained. This consent does not need to be explicitly given, it can be implied by the person’s relationship with the company. However, the data obtained must be for specific, explicit and legitimate purposes. Individuals must be able to withdraw consent at any time and have a right to be forgotten; if their data is no longer required for the reasons for which it was collected, it must be erased.
General data protect has to abide by 6 principles
- LAWFULNESS, FAIRNESS AND TRANSPARENCY
The first principle is relatively self-evident: organisations need to make sure their data collection practices don’t break the law and that they aren’t hiding anything from data subjects.
- PURPOSE LIMITATION
Organisations should only collect personal data for a specific purpose, clearly state what that purpose is, and only collect data for as long as necessary to complete that purpose.
Processing that’s done for archiving purposes in the public interest or for scientific, historical or statistical purposes is given more freedom.
- DATA MINIMISATION
Organisations must only process the personal data that they need to achieve its processing purposes. Doing so has two major benefits. First, in the event of a data breach, the unauthorised individual will only have access to a limited amount of data. Second, data minimisation makes it easier to keep data accurate and up to date.
The accuracy of personal data is integral to data protection. The GDPR states that “every reasonable step must be taken” to erase or rectify data that is inaccurate or incomplete.
Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days.
- STORAGE LIMITATION
Similarly, organisations need to delete personal data when it’s no longer necessary.
How do you know when information is no longer necessary? According to marketing company Epsilon Abacus, organisations might argue that they “should be allowed to store the data for as long as the individual can be considered a customer. So the question really is: For how long after completing a purchase can the individual be considered a customer?”
The answer to this will vary between industries and the reasons that data is collected. Any organisation that is uncertain how long it should keep personal data should consult a legal professional.
- INTEGRITY AND CONFIDENTIALITY
This is the only principle that deals explicitly with security. The GDPR states that personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
The GDPR is deliberately vague about what measures organisations should take, because technological and organisational best practices are constantly changing. Currently, organisations should encrypt and/or pseudonymise personal data wherever possible, but they should also consider whatever other options are suitable.
The regulations demand that individuals must have full access to information on how their data is processed and this information should be available in a clear and understandable way. Individuals can make requests, and these must be executed “without undue delay and at the latest within one month of receipt of the request”. Where requests to access data are manifestly unfounded or excessive then small and medium‑sized enterprises will be able to charge a fee for providing access.
What does that mean for you?
- Do not share the data given to any one
- Do not leave the data visible in public spaces
- Delete the data once you have used it
- If you have a concern with any data, please do not hesitate to raise it with National Food Service Bristol’s Data Protection Officer, Pete Beckwith, who can be contacted at firstname.lastname@example.org