Data Protection Network | GDPR | Advice & Resources

Data Protection Basics: The 7 data protection principles Understanding the key principles of data protection Let’s get back to basics. There are seven core principles which form the foundation of data protection law. Understanding and applying these principles is the cornerstone for good practice and key to complying with UK / EU GDPR. Here’s our quick guide to the data protection principles. 1. Lawfulness, fairness and transparency This principle covers 3 key areas. a) Lawfulness – We must identify an appropriate ‘lawful basis’ for collecting and using personal data. In fact, we need to decide on a lawful basis for each task we use personal data for, and make sure we fulfil the specific conditions for that lawful basis. There are 6 lawful bases to choose from. We need to take special care and look to meet additional requirements when using what’s termed ‘special category’ data or data which relates to minors or vulnerable people. We should also be sure not do anything which is likely to contravene any other laws. b) Fairness – We must only use people’s data only in ways that are fair. Don’t process data in a way which might be unexpected, discriminatory or misleading. This means evaluating any adverse affects on individuals. c) Transparency – We must be clear, open and honest with people about how we use their personal information. Tell people what we’re going to do with their personal information. Routinely this is achieved by providing relevant privacy information at the point data is collected, and by publishing a complete and up to date privacy notice and making this easy to find. Transparency requirements apply right from the start, when we collect or receive people’s data. 2. Purpose limitation This is all about only using personal details in the ways we told people they’d be used for. We must be clear about what our purposes for processing are and specify them in the privacy information we provide to individuals. Sometimes we might want to use personal data for a new purpose. We may have a clear legal obligation to do it, but if not we should check the new purpose is compatible with the original purpose(s) we had for that data. If not, then we may need to secure the individual’s consent before going ahead. Remember, if we surprise people, they ‘ll be more likely to complain. 3. Data minimisation We must make sure the personal data we collect and use is: Adequate – necessary for our stated purposes. Only collect the data we really need. Don’t collect and keep certain personal information ‘just in case’ it might be useful in future. Relevant – relevant to that purpose; and Limited to what is necessary – don’t use more data than we need for each specific purpose. 4. Accuracy We should take ‘all reasonable steps’ to make sure the personal data we gather and hold is accurate, up-to-date and not misleading. It’s good practice to use data validation tools when data is captured or re-used. For example, validate email addresses are in the right format, or verify postal addresses when these are captured online. If we identify any of the personal information we hold is incorrect or misleading, we should take steps to correct or delete it promptly. Data accuracy can decline over time. For example, people change their email address, move house, get married or divorced, their needs and interests change. And of course some people on your database may pass away. So we need to consider ways to keep our data updated and cleansed. Perhaps find ways to give people the opportunity to check and update their personal details? 5. Storage limitation Don’t be a hoarder! We must not keep personal data longer than necessary for the purposes we have specified. Certain records need to be kept for a statutory length of time, such as employment data. But not all data processing has a statutory period. Where the retention period is not set by law, the organisation must set an appropriate data retention period for each purpose, which it can justify. The ICO would expect us to have a data retention policy in place, with a schedule which states the standard retention period for each processing task. This is key step to making sure you can comply with this principle. When the data is no longer necessary, we must destroy or anonymise it, unless there’s a compelling reason for us to keep it for longer. For example, when legal hold applies. For more information see our Data Retention Guidance. 6. Security This is the ‘integrity and confidentiality’ principle of the GDPR – often known as the security principle. This requires organisations to make sure we have appropriate security measures in place to protect the personal data we hold. UK / EU GDPR talks about ‘appropriate technical and organisational measures’ (known as TOMs). These includes things like physical and technical security measures, conducting information security risk analyses, having information security policies & standards in place to guide our staff. Our approach to security should be proportionate to the risks involves. The ICO advises us to consider available technology and the costs of implementation when deciding what measures to take. Some of the basics include transferring data securely, storing it securely, restricting access to only those who need it and authenticating approved data users. Cyber Essentials or Cyber Plus can be helpful as an assurance framework to carry out a review of your data security arrangements. Controllers should consider information security standards when appointing and managing relationships with processors, i.e. service providers handling personal data on your behalf to provide their services. Are your processors securely handling their processing of the data you control? Carry out appropriate due diligence to make sure. 7. Accountability The accountability principle makes organisations responsible for complying with the UK / EU GDPR and says they must be able to evidence how they comply with the above principles. This requires data governance across the organisation. Think of accountability as a collective responsibility, flowing from the Executive team and down through to the teams that process personal data. To demonstrate how we comply, we need to have records in place. For many organisations this will include a Record of Processing Activities (RoPA). The ICO provides a useful ‘Accountability Framework’ we can use to benchmark performance against their expectations. In summary, identify the lawful bases you’re relying on and be fair and be open about what you do. Minimise the data you collect and make sure it remains accurate over time. Always keep it secure and don’t keep it for longer than you need it. Take care if you want to use personal data for a new purpose. Keep records and be ready to justify your approach. The ICO has published more detailed guidance on the seven principles.

Data Protection Basics: The 6 lawful bases A quick guide to the six lawful bases for processing personal data One of the fundamental data protection principles is that our handling of personal data must be ‘lawful, fair and transparent’. To be lawful, clearly, we shouldn’t do anything illegal in general terms. But what else does it mean to be lawful? We’re given six lawful bases to choose from under UK/EU GDPR. For each purpose we use personal data for, we need to match it with an appropriate lawful basis. For example a purpose might be: Sending marketing emails to our customers Profiling our audience to better target our marketing Handing staff payroll data to pay salaries Handling customer enquiries about our services Delivering a product a customer has requested Implementing measures to prevent fraud We need to select the most appropriate lawful basis and meet its own specific requirements. Each basis is equally valid, but one may be more appropriate than others for any specific task. We’re legally obliged to set out the lawful bases we rely on in our privacy notices. If none of them seem to work, you may want to question whether you should be doing what you’re planning to do. Quick guide to the 6 lawful bases (This is not intended to be exhaustive, do check the ICO’s Lawful Basis Guidance) 1. Contract This lawful basis will be appropriate if you need to process an individual’s personal information to deliver a service to them. Or you need collect certain details to take necessary steps before entering into a contract or agreement. Example 1: An individual purchases a product from you and you need to handle specific personal information about them in order to deliver that product, including when you acknowledge their order, provide essential information, and so on. Example 2: Someone asks you to give them a quote for your services, and you need certain information about them in order to provide that quote. Contract tips: It doesn’t apply to other purposes you may use the data for which are not essential. It’s most likely to be used when people are agreeing to T&Cs, although it can also be used where a verbal agreement or request for information is made. The person whose data you’re processing must be party to the contract or agreement with you. It doesn’t apply if you want to process someone’s details, but the contract is with someone else, or with another business. 2. Legal obligation There may be circumstances where you are legally obliged to conduct certain activities, which will involve processing personal data. This could be to comply with common law or to undertake a statutory obligation. Example 1: You are offering a job to someone outside the EU. You need to check they have a visa to work in the UK, as this is a legal obligation. Example 2: Airlines and tour operator collect and process Advance Passenger Information (API) as this is a legal requirement for international air travel. Legal obligation tips Legal obligation shouldn’t be confused with contractual obligations Document your decision. You should be able to either: a) identify the specific legal provision you are relying on or b) the source of advice/guidance which sets out your obligation. 3. Vital interests You can collect, use or share personal data in emergency situations, to protect someone’s life. Example: A colleague collapses at work, is unable to talk, and you need to tell a paramedic they have a medical condition. Common sense should prevail. Vital interest tips It’s very limited in scope, and should generally only apply in life and death situations. It should only be used when you manifestly can’t rely on another basis. For example, if you could seek consent, you can’t rely on vital interests. 4. Public task You can process personal data if necessary for public functions and powers that are set out in law, or to perform a specific task in the public interest. Most often this basis will be relied upon by public authorities and bodies, but it can apply in the private sector where organisations exercise official authority, or carry out tasks in the public interest. Public task tips If you could reasonably perform your tasks or exercise powers in a less intrusive way this basis won’t be appropriate. The processing must be necessary. Document your decisions, specify the task, function or power, and identify the statutory or common law basis. 5. Legitimate Interests This is the most flexible lawful basis, but don’t just assume what you’re doing is legit. It’s most likely to be appropriate when you use people’s data in a way they’d reasonably expect. Where there is minimal impact on them, or where you have a compelling justification. Legitimate interests must be balanced. You must balance the organisation’s interests against the interests, rights and freedoms of individuals. If your activities are beyond people’s reasonable expectations or would cause unjustified harm, their rights and interests are likely to override yours. Legitimate interests – when it isn’t legit Legitimate Interests tips Conduct and document a Legitimate Interests Assessment (LIA). This may be relatively simple and straight-forward, or more complex. Consider whether you can provide people with an easy way to object. This is not essential in all situations (e.g. fraud protection). Be open about where you rely on legitimate interests so its likely to be in people’s reasonable expectations. Remember to include what your legitimate interests are in your privacy notice. Check the ICO’s guidance on when legitimate interests can be relied upon for marketing activities. Important note: In June 2025 the UK Data (Use and Access) Act introduced a new lawful basis for processing into the UK GDPR. This lawful basis of ‘recognised legitimate interests’ can be relied up by organisations for specific purposes without being required to conduct a balancing test (i.e. a Legitimate Interests Assessment). The list of recognised legitimate interests includes the following (and may be expanded): ■ Disclosures to public bodies, where it is asserted personal data is necessary to fulfil a public function. ■ Disclosures for national or public security or defence purposes, emergencies. ■ Disclosures for prevention or detection of a crime, and safeguarding vulnerable individuals. 6. Consent This is when you choose to give individuals a clear choice to use their personal details for a specific purpose and they give their clear consent for you to go ahead. The law tells us consent must be a ‘freely given, specific, informed and unambiguous’ indication of someone’s wishes given by a ‘clear affirmative action’. Consent is all about giving people a genuine choice and putting them in control. They must be able to withdraw their consent at any time, without a detrimental impact on them. Consent, getting it right. Consent tips: It should be clear what people are consenting to Consent shouldn’t be bundled together for different purposes, each purpose should be distinct It must not be conditional – people shouldn’t be ‘forced’ to consent to an activity as part of signing up to a service. Consent is unlikely to be appropriate where there may be an imbalance of power. For example, if an employee would feel they have no option but to give consent to their employer (or might feel they could be penalised for not giving it). The law sometimes requires consent. For example, under the electronic marketing rules consent is sometimes a requirement. In summary, consider all the purposes you have for processing personal data. Assign a lawful basis to each purpose and check you’re meeting the specific requirements for each basis. Tell people in your privacy notice the lawful bases you rely on, and specifically explain your legitimate interests. Finally, don’t forget, if you’re processing special category data (for example data revealing racial or ethnic origin, health data or biometric data) you’ll need a lawful basis, plus you’ll need to meet one of the conditions under UK GDPR Article 9. For criminal convictions data you’ll need a lawful basis, plus one of the conditions under UK GDPR Article 10.

Privacy Notices Quick Guide The right to be informed All businesses need an external facing Privacy Notice, aka Privacy Policy, if collecting and handling people’s personal information. Data protection law tells us we must provide people with easily accessible and specific privacy information when we collect their data. This guide sets out the key considerations and core requirements our Privacy Notices.

Data Breaches: Assessing the level of risk The alarm goes off inside your organisation; you’re certain, or have a reasonable degree of certainty, a personal data breach has occurred. You’ve either contained the breach, or are in the process of doing so. You’ve established all the facts or are still gathering them. Great stuff. You’re starting to manage the risk. Alongside this, there are two pressing issues to address under GDPR (and UK GDPR): 1. Do you need to report the breach to a Data Protection Authority? (e.g. the UK’s Information Commissioner’s Office – ICO). Reporting is required within 72-hours of becoming aware of a breach, and must be done unless the breach is unlikely to represent a ‘risk’ 2. Do you need to notify affected individuals? This is required without undue delay if the breach represents a ‘high risk’. Data Protection Authorities don’t need to hear about every incident where there’s minimal risk to individuals. In fact, the ICO made it clear after GDPR was implemented they saw a degree of over-reporting. There’s a balance to be struck; you don’t want to fail to report a data breach when you should have. Each incident needs to be considered on a case-by-case basis, taking account of all relevant factors. No two incidents are likely to be the same (unless you failed to address something crucial the first time around!). The key is balancing the severity of the potential impact on those affected with the likelihood of this occurring. For example, the impact could be quite severe, but highly unlikely to materialise, or conversely the impact could be relatively low, but highly likely. What do data breach harms look like? There could be a number of negative consequences for people affected, so you need to consider the harms and/or damage the breach might cause. For example, it could result in any of the following: financial loss, identity theft, fraud, emotional distress, loss of confidentiality, discrimination, humiliation and reputational damage. Other harms could include material or physical damage, loss of control of personal data, social disadvantage or limitation of rights. How to assess the potential harm from a data breach In assessing the types of harm the breach may result in it can be useful to answer the following types of assessment questions: ■ Can individuals be identified easily? ■ Are people at increased risk of identity theft or fraud? ■ Could people suffer financially? ■ Could people’s reputation be damaged? ■ Is there a breach of confidentiality? ■ Are people at risks of physical harm? ■ Does the breach involve information relating to children or vulnerable adults? ■ Does the combination of data involved pose more of a risk? The above is by no means an exhaustive list. The importance of certain questions will vary, depending on the nature of the incident, the personal data and individuals affected and indeed the nature of your organisation. It’s good practice to use a risk matrix, with a scoring system of likelihood against severity, so you can evaluate the severity and likelihood of harm identified. This helps answer the key questions of a) should we report to a Data Protection Authority? and b) should we notify affected individuals? Not only does a scoring system provide internal reassurance a clear methodology is being used it’s also useful evidence of your assessment should it ever be required. The European Commission Guidelines on Notification of a Personal Data Breach (in section IV) provide helpful pointers on how to assess risk and high risk. If your breach involves special category data or financial details, the risks may be more obvious and the decision to report the breach may be more-clear cut. Assessments may need to be fluid, including regular ‘check-ins’ with colleagues as your understanding of the situation evolves and answers to your questions become known. While your response to a data breach needs to be swift and effective, often you won’t know all the facts and are unable fully evaluate the risk posed within 72-hours. The first report to a Data Protection Authority can be just an initial report. This can then be followed up with more information as it becomes available. In some cases the risk rating of a breach might be downgraded or upgraded. The key to success is having a robust data incident procedure, to help your data incident response team manage what can be multiple moving parts as effectively as possible. A procedure which includes a clear method of assessing the risk. Like many ‘emergencies’ in life, from a punctured tyre to a cut finger, being well prepared will prove invaluable.