Professional Documents
Culture Documents
GDPR Guide
GDPR Guide
[Company address]
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Data protection legislation has existed for decades to protect personal information
and control how it is used. Changes in technology and business environments have
seen this legislation updated and adjusted over the years. The GDPR is the most
recent example.
Over the next 45 minutes or so, this course will teach you all you need to know in
order to comply with the GDPR.
Soon you will be able to:
• Describe the GDPR, its importance and the date it comes into effect:
• Identify the relevant data protection roles;
• Determine when a task is within the scope of the GDPR;
• Identify and differentiate between personal and sensitive data;
• Summarise the six data protection principles;
• Summarise the legal obligations of a data controller and a data processor;
• Describe the data subjects’ rights under the GDPR;
• Identify when a data subject’s personal data can be processed and shared;
• Outline how to process requests made by a data subject;
• Define a minor under the GDPR and understand the consent needed to
process a minor’s personal information;
• Outline the process for reporting a data breach.
2. GDPR Roles
Look at the different roles within the GDPR
3. GDPR Scope
Identify which tasks fall within the scope of the GDPR
4. GDPR Principles
Examine the GDPS’s data protection principles
6. Summary
Review the information covered in this course.
1|Page
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Module 1
Introduction
A brief history of data protection
Data protection concepts have been around in various forms for decades such as
the common law of confidentiality.
It is only with the advancement of technology and a move from paper to electronic
storage that we have been able to easily collect, process and store personal
information on a large scale.
While this is hugely beneficial in guiding business decision making and generally
improving services, it has also resulted in rising criminal activity such as identity
fraud and theft.
The realisation that personal information must be protected has resulted in the
introduction of a number of laws over the years, which has been adapted and refined
as the need for better data protection has increased.
Ultimately, the need for advanced data protection, the need for consistency of
approach and the importance of enabling the free flow of information throughout
Europe have led to the EU’s General Data Protection Regulation (GDPR).
2|Page
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
3|Page
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
This ensures standardisation and lends itself to clear compliance requirements and,
as a result, the free flow of information across the EU. The GDPR also addresses
modern day data protection requirements, applies to an increased scope and
provides more detailed definitions of what constitutes personal data among other
things.
4|Page
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
5|Page
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Module 2
GDPR Roles
Look at the different roles within the GDPR
In order to effectively implement the GDPR we need to be clear on the different roles
involved and where we fit in.
Look at the scenarios that follow and see if you can identify the roles correctly.
Hint: Not all roles are necessarily present in these scenarios, but you can allocate
more than one role to each individual if it is relevant.
6|Page
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Scenario 1 of 3
John Smith is registered with Dr Zhivago at his local surgery where, a week ago, he
had some blood taken for a few routine tests.
Unfortunately, John is away on business and is unable to contact Dr Zhivago’s
surgery to find out the results of the tests.
His wife, Jane Smith, has offered to do this for him and has contacted Dr Zhivago to
obtain the results.
Can you identify the data protection roles in this scenario?
John Smith John Smith is the data subject in this scenario as the information being
shared is about him.
Dr Zhivago Dr Zhivago is both the data controller and data processor in this
scenario. Not only does the doctor hold and control John’s information
(the blood test results) but he is the party who would be processing the
information by sharing it.
Jane Smith Jane Smith in the third party in this scenario as she is neither the data
subject (the information is not about her) or involved with the controlling
or processing of the information.
7|Page
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Scenario 2 of 3
Hackney Council has a collection of archived service user data that is securely
stored by Bigtech, an IT company it employs for this purpose.
Hackney Council is looking for some insight into its existing service user base and
has hired a research company called Intuit Research to shift through this archived
data and provide a report on specific metrics that have been identified by Hackney
Council.
Can you identify the data protection roles in this scenario?
8|Page
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Scenario 3 of 3
Savings Corp is a large financial services company that hired an external party, HR
Personnel to provide a salary benchmark for their management team.
Sarah Smith, an employee of Savings Corp., is responsible for ensuring Savings
Corp’s compliance with the GDPR and is the person who provided HR Personnel
with the necessary management information for the benchmark.
Adam Doe is a member of Savings Corp’s management team, has asked his
lawyers, Mathews & Associates, to query the use of this information as he feels there
has been an information breach.
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Mathews & Associates As Adam Smith’s lawyers, Mathews & Associates are a
third party in this scenario. They are not the data subject
as they are not a natural person, and they are not
involved in controlling or processing the management
information.
10 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Module 3
GDPR Scope
Identify which tasks fall within the scope of the GDPR
Another key factor to consider is whether the task you are performing is within the
scope of the GDPR.
The GDPR applies to the processing of personal data by controllers and processors
within the EU, regardless of where the data subject resides. It also applies to the
processing of an EU data subject’s personal data by controllers and processors that
are not established within the EU, if this processing is being carried out to provide
services into the EU.
This means that in order to determine whether the GDPR applies to a particular task
we must consider a few elements:
➢ Whether the data being processed is considered to be the personal data of a
living natural person;
➢ Whether the data is collected, held or processed within the EU and, if not,
➢ Whether services are being provided into the EU.
Personal data
The GDPR considers personal data to be any information that can be used to
directly or indirectly, identify an individual. This includes information that is stored
digitally or manually indexed and filed.
In addition to this, the GDPR identifies certain personal data as sensitive. Any data
controller or data processor looking to collect or make use of sensitive data is
required to obtain the data subject’s explicit consent before doing so.
Can you correctly sort the below data?
Name
Economic Data
Religious or Philosophical Beliefs
Biometric Data
Health or Sex Data
Personal Data Medical/Social Care Records
Genetic Data
Sensitive Data Location
Racial and Ethnic Data
Other Trade-Union Memberships
IP Address or Mobile Phone ID
Credit Card Details
Political Opinions
11 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
All of this data is considered personal data because it can be used, either directly or
indirectly, to identify a data subject.
However, elements such as medical/social care records, genetic data, biometric
data, racial or ethnic data, political opinions, religious or philosophical beliefs, trade-
union memberships and health or sex data fall into the special category of sensitive
data.
This provides data subjects with enhanced protection under the GDPR.
Now that you have a better idea of what constitutes personal and sensitive data, look
at the scenarios that follow and determine whether the particular task is within the
scope of the GDPR.
Remember, the GDPR is applicable to:
• Any personal data of a living natural person that is collected, held or processed
within the EU regardless of the location of the data subject; and
• Any personal data that is collected, held or processed outside the EU, if done for
the purposes of providing services into the EU.
12 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Scenario 1 of 4
You work for a telecommunication company that operates in the EU. Your marketing
team is conducting customer research to determine the purchasing trends of EU
customers based on their demographic.
You are responsible for Collecting and consolidating the survey information with the
aim of informing future marketing strategy.
Do you need to comply with the GDPR when carrying out this task? Yes/No
When determining whether the GDPR applies to a particular task you must consider
• Whether the data being process is considered to be personal data of a living
natural person
• Whether the data is collected, held or processed within the EU, and, if not,
• Whether services are being provided into the EU
In this scenario, the survey information you are collecting and consolidating is
considered personal data as it can directly identify the data subjects, who are living
natural individuals
Your organisation is the data controller and processor and is based within the EU,
which together with the personal data being processed, makes the GDPR applicable
here.
13 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Scenario 2 of 4
Last year you launched your own business providing consulting services to large
corporate clients throughout the EU.
Your company has gone from strength to strength since you launched and it is now
time to upgrade your branding to align with your professional offering.
You approach a local graphic design company based in the EU for assistance
updating your logo.
Does the graphic design company need to adhere to the GDPR when working with
your logo? Yes/No
When determining whether the GDPR applies to a particular task you must consider
• Whether the data being process is considered to be personal data of a living
natural person
• Whether the data is collected, held or processed within the EU, and, if not,
• Whether services are being provided into the EU
Although your business, as the data controller, and the graphic design company, as
the data processor, are both based in the EU, intellectual property (such as the logo)
is not considered personal data.
Additionally, the logo can only be used to identify your business, which in its own
right, is not considered a data subject and not protected by the GDPR.
14 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Scenario 3 of 4
You work for an EU based company that provides payroll solutions to organisations
looking to outsource this function.
One of the accounts you’re in charge of is headquartered in the USA. The head
office provides you with the payroll information for the EU arm of its business, which
you then run at month end
The payroll information in this scenario is considered personally identifiable and your
company, as the data processor, is based in the EU. This makes the GDPR
applicable here despite the data controller being in the USA.
15 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Scenario 4 of 4
Your company, based in Canada, sells business literature online to organisations
around the world. You use a local Canadian courier service to deliver the literature to
your customers, promising delivery within five working days worldwide.
You have just received an order from an individual within the EU which you must
take payment for and process
When processing this order, do you have to pay specific attention to GDPR
stipulations? Yes/No
You the data controller, and the courier company, as the data processor, are both
based in Canada meaning the personal data is held outside the EU, but because you
are providing services to a data subject within the EU, the GDPR still applies
Having been through these scenarios you should have a clearer picture of when a
particular task is within the scope of the GDPR.
To recap, a task is within the scope of the GDPR when:
✓ The data being processed can be used, either directly or indirectly, to identify a
living natural person; and
✓ The data is collected, held or processed within the EU; or
✓ The data is being used to provide services into the EU
16 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Module 4
GDPR Principles
GDPR Principles
The GDPR identifies seven principles that should be applied when personal data is
collected or processed.
Principle 1
This means ensuring that you have met the conditions to process personal and
sensitive data. You have obtained consent to process personal data or explicit
consent for sensitive data.
When collecting personal data you should also inform the data subject who you are,
how the data will be processed and if the data will be disclosed to any other parties.
Principle 2
You must only collect personal data for legitimate and specified reasons, and you
must inform the data subject of these reasons
Personal data may, however, be archived in the public interest, for scientific or
historical research purposes or for statistical purposes.
Principle 3
Make sure you only collect enough data as is necessary for processing, You should
not collect more personal data than you need to meet your processing requirements.
17 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Principle 4
You must take reasonable steps to ensure personal data is accurate and kept up to
date.
Principle 5
Kept I a form that allows the identification of data subjects only as long as necessary
for processing
Personal data must only be kept in an identifiable form for as long as necessary for
its intended purposes. We should have a data retention policy that identifies when
particular records may be destroyed and a systematic way of doing so.
Personal data may, however, be stored for longer periods if archived in the public
interest, for scientific, historical research and statistical purposes or for legal
requirements.
Principle 6
Accountability
The data controller is responsible for demonstrating compliance with the GDPR’s
data protection principles and must therefore ensure that any data processors have
measures in place to enable compliance with the GDPR. If there is a breach,
however, both the data controller and the data processor are liable.
18 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
19 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
20 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
21 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Module 5
Applying the GDPR
Practical Information on applying the GDPR
We have covered the concepts behind the GDPR and you should have a better idea
about why it is been implemented, the different roles involved, and the scope and
principles of the GDPR.
But what do you actually have to do?
22 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
As a data controller, you are required to abide by the six data protection principles
when performing tasks that fall within the scope of the GDPR.
You must ensure that you meet the necessary conditions to collect and process any
personal or sensitive data that you require. The best way to do this is to obtain
active, positive consent to collect and process personal data and explicit consent for
sensitive data.
23 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
When you no longer need to keep records up to date, you’ll probably no longer need
to keep the data.
v. Kept in a form that allows the identification of the data subjects only as
long as necessary
The personal data you collect must be kept in a format that allows the data subjects
to be identified only for as long as it is needed for carrying out your task. Encrypting
or hashing (coding) this personal data does not remove this requirement, you must
still dispose of data when it is no longer needed. However, encrypting or hashing the
personal data you hold is encouraged as it improves security and data breaches
involving encrypted or hashed data do not need to be reported to the data subject.
Your organisation’s data retention policy determines when a particular data records
should be destroyed and how this is to be done. Any personal data that is no longer
required should be disposed of in accordance with this policy.
24 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
In carrying out these instructions, your organisation must abide by the same GDPR
data protection principles as the data controller.
The GDPR provides data subjects with more control over their data as well as a
better understanding of what their data is being used for.
As a result data subjects have certain data protection rights under the GDPR that, if
infringed, allows the data subject to take legal action against data controllers and
data processors, and seek compensation for damages.
Make sure you abide by these rights when collecting or processing personal data:
The way data subjects do this is by submitting a subject access request (SAR),
which you are required to respond to within a month.
25 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Data subjects have the right to request that their personal is deleted or removed if:
26 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
• Consent is withdrawn;
• The data subject objects to the processing and there is no overriding legitimate
reason for continuing the processing;
• The personal data was unlawfully processed; or
• The personal data must be erased to comply with a legal obligation
This requires you to not only erase the personal data but also to take steps, to the
best of your ability. To erase any publicly available personal data. Your data
protection authority will most likely look for evidence that you have followed the
appropriate technical and procedural measures t erase this data.
The data subject has the right to request a copy of the personal data you hold on
them. They may also request that this data be sent to another data controller.
You must share this data in a format useable by the data subject or data controller,
and you should therefore determine this before supplying the data.
4. What are the preconditions for processing personal and sensitive data?
In order to process personal and sensitive data legally, you are required to meet
certain preconditions.
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
In most cases, you have to have a data subject’s consent in order to process their
personal data. There are circumstances in which consent is not necessary but these
normally involve legal requirements or where a data subject has provided consent
through a contract with a third party.
28 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
will be retained (usually done in the form of a fair processing notice), and obtain clear
acceptance and agreement from the data subject.
Explicit consent is required when processing sensitive data and involves providing all
the details required for (non-explicit) consent but in greater detail in order to provide
the data subject with full understanding and control of the processing of their
sensitive data and the implications thereof.
Any documentation you use to obtain consent must be laid out in simple terms and
must be clear, concise and not unnecessarily disruptive to the service being used.
You must ensure that you follow exactly the internal procedure laid down for you in
terms of dealing with sensitive data.
The GDPR gives data subjects the right to see what information you hold on them.
This is done through a subject access request (SAR), which your qrganisation must
comply with within one month or risk monetary penalties.
There are certain requirements that you must follow when responding to an SAR. If
you receive a request for data held by the organisation, refer to your organisation’s
subject access request procedure, which outlines the necessary steps and
information you must provide.
Data subjects have the right to request that any personal data that you hold on them
is amended or, in some circumstances, erased.
If you receive a request to amend personal data (such as an address) you should
refer to your organisation’s relevant procedure to determine the necessary steps.
29 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
If a request to erase persona data is received, you should refer to your organisation’s
data retention policy to determine the appropriate action. This policy indicated when
and how data records should be securely destroyed.
9. What personal data can be given to someone who is related to the data subject?
The GDPR does not permit you to share personal data with anyone who is not the
data subject or a valid data processor other than where dealing with someone under
the age of 13.
You can use or share any personal data within your organisation if it is required to
carry out a particular processing task and consent has been obtained for this specific
purpose.
If you have requested and received an employment reference and the data subject
has requested a copy, you should provide this information. In this context, you are
the data controller and the request would constitute a subject access request (SAR).
Your organisation’s relevant SAR procedure should be followed accordingly.
If you have provided an employment reference to another employer, you are not
obliged to provide the data subject with a copy of this reference.
30 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
12. What personal data can be shared with the general public?
Personal data may not be shared with the general public, unless consent has been
provided by the data subject.
Data processors or data controllers can transfer personal data outside the EU and
EEA to certain countries or international organisations that are recognised by the EU
Commission as long as these actions do not contravene the GDPR.
31 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Medical information is considered personal data and its use is governed by the
GDPR
This means that if you want to request medical information on a particular data
subject, you must either obtain consent from the data subject themselves or require
the information for contractual reasons or protection of a legitimate interest.
The data may then only be used for this specific purpose.
32 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
To process the personal data of any data subject who is 16 years of age or younger,
you will need to obtain consent from a parent or guardian.
NB: The GDPR highlights the importance of protecting minors’ personal data when
this information is used for the purposes of marketing and creating online profiles.
33 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Reference: GDPR Awareness Course
Issue No:
Issue Date:
A data breach is defined by the GDPR as a breach of security that leads to the
destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
Any breaches that result in a risk to the rights and freedom of a data subject must be
reported to the supervisory authority by the data controller within 72 hours of the
data controller becoming aware of the breach. If the breach is likely to result in a high
risk to the rights and freedoms of the data subject, the data controller must also alert
the data subject without undue delay.
If the data processor becomes aware of a data breach, they must alert the data
controller, who is responsible for reporting the breach.
If you are aware of a breach, consult the person in charge of data protection for your
organisation and the breach reporting procedure to determine who should be notified
and how.
Your procedure will require that the following information be included when reporting
a data breach:
34 | P a g e
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3