FREE CHAPTER from ‘A Practical Guide to the General Data Protection Regulation (GDPR) – 2nd Edition’ by Keith Markham

CHAPTER TWO – PRINCIPLES AND ACCOUNTABILITY

2.1 Introduction

The basic architecture of the DPA 1998, in terms of principles, remains largely unchanged in the GDPR and DPA 2018. The most significant development however has been the introduction of the concept of ‘accountability’. Each of these issues will now be discussed in turn.

2.2 Principles

The GDPR is structured around a series of principles that are largely the same as those found in the DPA 1998 and I set out a brief summary of them below:

2.2.1 1st principle – lawfulness, fairness and transparency

data to be processed lawfully, fairly and in a transparent manner in relation to the data subject’

Essentially this principle requires controllers to have a ‘lawful basis’ in place to justify their processing of personal data. This issue will be discussed in more detail in chapter 5.

2.2.2 2nd principle – purpose limitation

data to be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes’

This issue has not typically attracted much attention either from controllers or from supervisory authorities. In practice all that is required is for controllers to inform data subjects at the outset of their relationship that the personal data collected will be used for purposes that are specified and lawful. If any changes are proposed subsequently, the controller would have to contact the data subjects and inform them of the changes and of their ability to object, albeit in practice this occurs very rarely.

Of more interest to most controllers is the question as to what constitutes a specified and lawful purpose and I set out some suggestions below that are based on purposes suggested by the ICO:

  • Accounts and records

  • Staff management

  • Provision of goods or services

  • Provision of advice

  • Credit checking

  • Marketing

  • Market research

This information would normally be provided to data subjects in the privacy statement required by articles 13 and 14 which is discussed in more detail in chapter 7.

2.2.3 3rd principle – data minimisation

data collected to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’

At the time of first collection of a data subject’s personal data it can be tempting for controllers to embark on a wide-ranging exercise to gather as much personal data as possible. Unsurprisingly, there have always been limits as to the extent of such an exercise and the application of a certain amount of common sense is likely to avoid any major infringements.

Ultimately, if challenged by the ICO, any controller would have to demonstrate why the collection of the disputed personal data was necessary. If the personal data collected was necessary for the provision of goods or services of one type or another then this should be a formality. However, collection of special categories data such as religious belief or sexual orientation is likely to be more difficult to justify unless the controller has a particular requirement to access such information, for example to carry out equality monitoring.

Example

A data subject wishes to purchase a book from a well-known website. In order to facilitate this purchase the only personal data required from the data subject will be; name, contact details, delivery address, payment details and details of the item ordered. Anything else would be a breach of this principle.

2.2.4 4th principle – accuracy

data to be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay’

Clearly no controller can ever be 100% accurate in terms of the personal data it collects. Therefore, it is important to note that if personal data is found to be inaccurate controllers are to take reasonable steps to erase or rectify without delay. This will typically be in response to a request for erasure or rectification of which more detail to follow in chapter 7.

Of course, controllers would be well advised to take reasonable steps at the time of collection of the personal data so as to minimise errors. Such reasonable steps could include asking the data subject to:

  • repeat key information to the controller’s employee – eg if providing information via the telephone

  • check information carefully before submitting it to the controller – eg via a form on a website

  • provide a document with key information written on it so that this could be copied by the controller’s employee – eg if the data subject is physically present

Ultimately the nature of any reasonable steps would largely be dictated by the sensitivity of the personal data be collected as well as the consequences that could follow if it was collected incorrectly.

Example

A data subject is due to undergo an operation and the details of the operation need to be communicated to the surgery team. In this case the utmost care should be taken to transmit this information accurately and this is likely to involve several checks prior to the operation taking place

2.2.5 5th principle – storage limitation

data to be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject’

The phrase ‘no longer than necessary’ has always caused lawyers to raise an eyebrow given that no further guidance is provided within the GDPR as to precisely what this might mean. In practice controllers need to ensure that they have a data retention policy in place which summarises the personal data held, the length of time it is held for and also a justification for this.

Example

A law firm establishes a data retention policy with the following features:

Type of personal data

Time period

Justification

Client files

6 years following file closure

SRA Rules

Defence or exercise of legal claims

Complaint files

6 years following file closure

LeO / SRA Rules

Defence or exercise of legal claims

Application forms (unsuccessful candidates)

6 months following unsuccessful application

Defence or exercise of legal claims

Consideration for another suitable position

Payroll files

7 years following end of employment

HMRC Rules

Personnel files

6 years following end of employment

Defence or exercise of legal claims

Of course, there may be exceptions to these general rules. Perhaps the best example would be a wills file which hopefully should not need to be consulted for many years following the drafting of the will but would need to be retained until such time as it was required for probate purposes.

The other main consideration is ensuring that such a policy is actually implemented in practice. Many is the firm or organisation that I have visited in recent years where employees are either blissfully ignorant of such a policy or have yet to apply it to the content of the cupboard under the stairs.

This issue will be discussed further in chapter 7 in the context of requests for erasure.

2.2.6 6th principle – integrity and confidentiality

data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’

This principle is of the utmost importance, not least because a serious breach could well lead to the imposition of a civil monetary penalty and therefore it is discussed at great length in chapter 10.

2.2.7 Missing principles

Data protection aficionados will no doubt be aware that the DPA 1998 contained a total of eight principles and therefore two principles appear to have vanished post GDPR. In fact, the missing principles relating to the rights of data subjects and transfers of personal data outside of the EEA have been retained elsewhere in the GDPR at articles 12-22 and 44-50 respectively.

2.3 Registration Fees

Under the DPA 2018 most controllers are still required to pay a registration fee to the ICO1. The details of this are set out in the Data Protection (Charges and Information) Regulations 2018 as follows:

Tier One – Micro-organisations

£40.00 (£35.00 if controllers set up an annual direct debit) Maximum turnover of £632,000 or no more than ten members of staff.

Tier Two – SMEs

£60.00 – this is payable by controllers whose annual turnover exceeds £630,000 but is less than £36million or no more than 250 members of staff

Tier Three – Large organisations

£2,900.00 – this is payable by controllers that do not meet the criteria of either tiers 1 or 2.

Two important points to note are that some controllers are exempt and that there is no such thing as a group notification and therefore all controllers that fall within any of the three tiers must be registered accordingly.

Failure to pay the relevant fee can result in the levying of a civil monetary penalty which according to the aforementioned regulations is payable as follows:

  • Tier One – £400.00

  • Tier Two – £600.00

  • Tier Three – £4,000.00

Note however that the ICO reserves the right2 to increase the amount payable up the statutory maximum under s158 of the DPA 2018 which is capped at:

150% of the highest charge payable by a controller in respect of a financial year in accordance with the regulations, disregarding any discount available under the regulations.’3

In practice this leads to a potential maximum penalty of £4,350.00.

Since May 2018 the ICO has been active in pursuing controllers who have not paid the appropriate registration fee and has issued hundreds of notices of intent requiring controllers to pay up failing which a civil monetary penalty will be issued. As of yet it appears that every controller has ultimately paid up without the need for further enforcement action.

Controllers wishing to check if they are exempt and/or register should consult the following link:

https://ico.org.uk/for-organisations/data-protection-fee/

2.4 Accountability

Despite the obvious similarities referred to above there is one major difference between the DPA 1998 and the GDPR and this is the concept of ‘accountability’ that is introduced under the GDPR.

the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).4

In practice this means that the controller is responsible for and must be able to demonstrate compliance with the principles set out above.5 The need to demonstrate compliance is more onerous than what was required under the DPA 1998.

The GDPR suggests five ways in which controllers can comply with the accountability principle.

      1. Implement appropriate technical and organisational measures

The GDPR uses this phrase in respect of various topics including measures to be taken to ensure security of personal data. The ICO Guidance suggests that this will include:

  • creation and review of internal data protection policies,

  • staff training, and

  • internal audits of processing activities

      1. Maintain relevant documentation on processing activities6

The GDPR requires controllers, and where applicable their representatives, to maintain a record of their processing activities that shall contain the following information:7

(a) the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;

(b) the purposes of the processing;

(c) a description of the categories of data subjects and of the categories of personal data;

(d) the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;

(e) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;

(f) where possible, the envisaged time limits for erasure of the different categories of data;

(g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

The GDPR also requires processors and where applicable their representatives to maintain a record of all categories of processing activities carried out on behalf of a controller including:8

(a) the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the data protection officer;

(b) the categories of processing carried out on behalf of each controller;

(c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of appropriate safeguards;

(d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

In both cases the records are to be in writing, including in electronic form,9 and shall be made available to the ICO on request.10

However, where an organisation has less than 250 employees then the requirements of paragraphs 1 and 2 will only apply if the processing is:11

  • likely to result in a risk to the rights and freedoms of data subjects,

  • the processing is not occasional, or

  • the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 1012

Apart from the requirements set out above there is no prescribed format for this document and therefore controllers and processors have a degree of flexibility as to how they will retain this document. As always, the best advice is to try and incorporate this document within existing documents.

      1. Appoint a data protection officer13

The GDPR states that both controllers and processors are required to appoint a data protection officer in certain circumstances. This role and its precise characteristics are discussed in more detail in chapter 12.

      1. Implement measures that meet the principles of data
        protection by design and data protection by default
        14

The GDPR contains this phrase and it is one that has been present in data protection circles for a number of years. The ICO suggests that the following ideas are characteristic of a ‘design and default’ approach:

  • Data minimisation (only collecting information from data subjects that you actually need);

  • Pseudonymisation (holding information in a way that does not readily identify the data subjects affected);

  • Transparency (providing information to data subjects at the outset about what information you collect, what you will use it for, who you will share it with and what rights they have); and

  • Creating and improving security features on an ongoing basis (taking into account technological developments)

In deciding what steps to take, the controller is able to take into consideration the:

  • Technological state of the art

  • Cost of implementation

  • Nature, scope, context and purposes of processing

  • Varying likelihood and severity for rights and freedoms of natural persons

In practice this means two things:

First, that the approach taken will vary considerably from one controller to another. Some controllers will have significant financial resources while others will not. Some will be processing large amounts of special categories data about large numbers of data subjects while others may only be processing basic personal data about their own employees. All of these matters need to be taken into account in deciding on an approach that is appropriate in the context in which the processing is taking place.

Secondly, it is essential for data protection issues to be discussed at the beginning of any project involving personal data rather than leaving them until the end. If issues are raised at an early stage then data protection considerations can be built in as part of the architecture of what is planned. If they are left until the last moment then this is likely to lead to frustration and delay for all involved.

2.4.5 Data protection impact assessments15

Finally, the GDPR suggests that controllers may wish to carry out a data protection impact assessment. These documents are discussed in more detail in chapter 3.

2.5 Summary

In summary then, there is considerable continuity between the principles of the DPA 1998 and the principles of the GDPR. The main change is the introduction of the concept of accountability which requires controllers and processors to be more proactive in demonstrating compliance with the applicable rules. In order to do this there are several steps that controllers and processors can take.

2.6 Practical steps:

  • Consider how you will comply with the accountability principle

  • Review and revise all data protection related policies and procedures

  • Consider the content and detail of existing records relating to data processing

  • Appoint a data protection officer if required

  • Consider implementation of a ‘design and default’ approach

  • Use data protection impact assessments where appropriate

MORE INFORMATION / PURCHASE THE BOOK ONLINE

1s137 DPA 2018

2ICO Regulatory Action Policy p28

3s158(3) DPA 2018

4Article 5(2)

5Article 5(2)

6Article 30

7Article 30(1)

8Article 30(2)

9Article 30(3)

10Article 30(4)

11Article 30(5)

12Article 30(5)

13Article 37(1)

14Article 25

15Article 35