GDPR Guide

2017
General Data Protection

Regulation Awareness
Course
GDPR Awareness Training

George Mathews
[Company address]
Reference: GDPR Awareness Course
Issue No:
Issue Date:
Data protection legislation has existed for decades to protect personal information
and control how it is used. Changes in technology and business environments have
seen this legislation updated and adjusted over the years. The GDPR is the most
recent example.
Over the next 45 minutes or so, this course will teach you all you need to know in
order to comply with the GDPR.
Soon you will be able to:
• Describe the GDPR, its importance and the date it comes into effect:
• Identify the relevant data protection roles;
• Determine when a task is within the scope of the GDPR;
• Identify and differentiate between personal and sensitive data;
• Summarise the six data protection principles;
• Summarise the legal obligations of a data controller and a data processor;
• Describe the data subjects’ rights under the GDPR;
• Identify when a data subject’s personal data can be processed and shared;
• Outline how to process requests made by a data subject;
• Define a minor under the GDPR and understand the consent needed to
process a minor’s personal information;
• Outline the process for reporting a data breach.
There are six modules in this course:

1. Introduction
The history of data protection and the GDPR
2. GDPR Roles
Look at the different roles within the GDPR
3. GDPR Scope
Identify which tasks fall within the scope of the GDPR
4. GDPR Principles
Examine the GDPS’s data protection principles
5. Applying the GDPR

Practical Information on applying the GDPR
6. Summary
Review the information covered in this course.
1|Page
Organisation Name
Comments to george.mathews@hackney.gov.uk
© GM Data Services Ltd
www.gmdataservices.co.uk
Classification_3
Issue No:
Issue Date:
Module 1
Introduction
A brief history of data protection
Data protection concepts have been around in various forms for decades such as
the common law of confidentiality.
It is only with the advancement of technology and a move from paper to electronic
storage that we have been able to easily collect, process and store personal
information on a large scale.
While this is hugely beneficial in guiding business decision making and generally
improving services, it has also resulted in rising criminal activity such as identity
fraud and theft.
The realisation that personal information must be protected has resulted in the
introduction of a number of laws over the years, which has been adapted and refined
as the need for better data protection has increased.
Ultimately, the need for advanced data protection, the need for consistency of
approach and the importance of enabling the free flow of information throughout
Europe have led to the EU’s General Data Protection Regulation (GDPR).
❖ 1983 Article 8 ECHR

One of the first legal protections for privacy was codified in Article 8 of the ECHR,
providing the foundation for modern European privacy laws.
❖ 1985 Convention for Protection of Individuals with regard to Automatic

Processing of Personal Data
The Convention for the Protection of Individuals with regard to Automatic Processing
of Personal Data aimed to ensure the free flow of information throughout EU
member states without infringing upon personal privacy.
The minimum standards it set became the basis of the first round of privacy laws
across Europe and the UK’s first Data Protection Act (DPA) in 1984.
2|Page
Organisation Name
Classification_3
Issue No:
Issue Date:
❖ 1985 Data Protection Directive (DPD)

The DPD was enacted to counter the shortcomings and variances that had
developed in data protection laws seen across EU and to further encourage the free
flow of data between member states.
As a directive, the DPD required EU member states to develop their own laws that
aligned with its rigorous minimum standards. The UK’s DPA of 1998 is such a law.
❖ 2016 General Data Protection Regulation

The GDPR was adopted by the EU Council and Parliament in April 2016 to
standardise data protection across the EU and improve the flow of information. As a
regulation, it ensures greater consistency as additional laws or interpretation by each
member state was not required.
The GDPR will take effect in May 2018, replacing existing EU and national data
protection legislation.
Constantly evolving technology continues to change the way we do business, the
tools we use and the processes we follow.
Previous data protection laws were just not sufficient because of the vast amount of
information and the level of detail that is now dealt with on a daily basis.
Added to this, EU data protection laws prior to the GDPR were based on the 1995
Data Protection Directive (DPD). As this was a directive and not a law in itself, each
EU member state had to develop and enact its own law to enforce the DPD’s
minimum standards.
As a result, the DPD’s minimum standards have been interpreted and implemented
differently throughout the EU, with the result that individuals do not have uniform
protection across the EU and the compliance process is unnecessarily complex for
organisations operating across multiple member states, which the EU Commission
believes has a negative effect on pan EU commerce.
The GDPR was adopted by the EU Council and Parliament in April 2016 and after a
two year implementation period, comes into effect on 25 May 2018.
As a regulation, it applies in all the member states of the EU directly, without
requiring member states to create their own laws.
3|Page
Organisation Name
Classification_3
Issue No:
Issue Date:
This ensures standardisation and lends itself to clear compliance requirements and,
as a result, the free flow of information across the EU. The GDPR also addresses
modern day data protection requirements, applies to an increased scope and
provides more detailed definitions of what constitutes personal data among other
things.
4|Page
Organisation Name
Classification_3
Issue No:
Issue Date:
In a nutshell, the GDPR brings:

• Greater accountability with a requirement to demonstrate compliance
• Fines of up to 4% of total worldwide turnover for non-compliance
• Robust security requirements
• Widened definition of personal data
• New obligations for processors
• New and enhanced rights for individuals
• Compulsory data breach notification
• New obligations in respect of children's data
❖ Must be reported within 72 hours

Data breaches are much more strictly regulated under the GDPR, with the
requirement that that the supervisory authority and, in certain circumstances the data
subject be informed within 72 hours of the data controller becoming aware of a
breach.
❖ Reputational damage and significant fines
Along with the reputational damage that occurs as a result of a breach, data subjects
can bring an action in defence of their natural rights and regulators can levy
administrative fines of up to euro 20 million or 4% of annual global turnover,
whichever is greater.
❖ Both data controllers and processors can be liable
Under the GDPR data controllers and data processors may both be liable of any
breaches that occur. As a result, a number of organisations (data controllers and/or
data processors) may face legal repercussions.
5|Page
Organisation Name
Classification_3
Issue No:
Issue Date:
Module 2
GDPR Roles
Look at the different roles within the GDPR
In order to effectively implement the GDPR we need to be clear on the different roles
involved and where we fit in.
Data Subject A natural person whose data is held and who is

considered to have rights in respect of their personal
information. An organisation or other legal entity is not a
natural person and cannot be a data subject under the
GDPR. The personal information of deceased person is
not protected.
Data Controller Anyone that collects, holds or controls personal data and
determines how this data is processed. Data controllers
can be individuals but tend to be organisations.
Data Processor Anyone who processes personal data on behalf of a data
controller. In many cases the data controller and the data
processor will be the same entity. A data controller may
have several data processors.
NB: Processing is any operation(s) performed on
personal data, e.g. collection, recording,
organisation, storage … etc.
Data Protection Officer An individual appointed by the data controller whose role
is to monitor the application of the GDPR and ensure
compliance in all issues relating to the protection of
personal data.
Third Party Anyone other than the data subject, data controller, data
processor or the data protection officer
Look at the scenarios that follow and see if you can identify the roles correctly.
Hint: Not all roles are necessarily present in these scenarios, but you can allocate
more than one role to each individual if it is relevant.
6|Page
Organisation Name
Classification_3
Issue No:
Issue Date:
Scenario 1 of 3
John Smith is registered with Dr Zhivago at his local surgery where, a week ago, he
had some blood taken for a few routine tests.
Unfortunately, John is away on business and is unable to contact Dr Zhivago’s
surgery to find out the results of the tests.
His wife, Jane Smith, has offered to do this for him and has contacted Dr Zhivago to
obtain the results.
Can you identify the data protection roles in this scenario?
John Smith Data Subject

Data Controller
Dr Zhivago Data Processor
Data Protection Officer
Jane Smith Third Party
John Smith John Smith is the data subject in this scenario as the information being
shared is about him.
Dr Zhivago Dr Zhivago is both the data controller and data processor in this
scenario. Not only does the doctor hold and control John’s information
(the blood test results) but he is the party who would be processing the
information by sharing it.
Jane Smith Jane Smith in the third party in this scenario as she is neither the data
subject (the information is not about her) or involved with the controlling
or processing of the information.
7|Page
Organisation Name
Classification_3
Issue No:
Issue Date:
Scenario 2 of 3
Hackney Council has a collection of archived service user data that is securely
stored by Bigtech, an IT company it employs for this purpose.
Hackney Council is looking for some insight into its existing service user base and
has hired a research company called Intuit Research to shift through this archived
data and provide a report on specific metrics that have been identified by Hackney
Council.
Hackney Council Data Subject

Hackney Council Service Users Data Controller
Bigtech Data Processor
Intuit Research Data Protection Officer
Third Party
Hackney Council Hackney Council is the data controller in this

scenario as it controls the service user’s data and
determines how and why it is used.
Hackney Council Service Users Hackney Council’s service users are the data
subjects in this scenario as the archived data is
about them.
Bigtech Bictech is the data processor in this scenario. It is
responsible for securely storing service users’ data
that is passed to it by Hackney Council.
Intuit Research Intuit Research is the data processor in this
scenario. It has been hired to provide a report on
specific metrics of service users’ data provided by
Hackney Council.
8|Page
Organisation Name
Classification_3
Issue No:
Issue Date:
Scenario 3 of 3
Savings Corp is a large financial services company that hired an external party, HR
Personnel to provide a salary benchmark for their management team.
Sarah Smith, an employee of Savings Corp., is responsible for ensuring Savings
Corp’s compliance with the GDPR and is the person who provided HR Personnel
with the necessary management information for the benchmark.
Adam Doe is a member of Savings Corp’s management team, has asked his
lawyers, Mathews & Associates, to query the use of this information as he feels there
has been an information breach.
Savings Corp Data Subject

HR Personnel Data Controller
Sarah Smith Data Processor
Adam Doe Data Protection Officer
Mathews & Associates Third Party
Savings Corp Savings Corp. is the data controller in this scenario as it

is the party that controls and determines how and why
the personal information is used.
HR Personnel HR Personnel is the data processor in this scenario as it
is responsible for using the personal information
provided by Savings Corp.to provide a benchmark for
the management team.
Sarah Smith Sarah Smith is Savings Corp DPO in this scenario as
she is the employee responsible for ensuring that
Savings Corp. is compliant with the GDPR. It is not
clear, however, whether she has been formally
appointed to the role.
Adam Doe Adam Doe, along with other members of the
management team, is the data subject in this scenario.
The information being processed by HR Personnel is
about them.
9|Page
Organisation Name
Classification_3
Issue No:
Issue Date:
Mathews & Associates As Adam Smith’s lawyers, Mathews & Associates are a
third party in this scenario. They are not the data subject
as they are not a natural person, and they are not
involved in controlling or processing the management
information.
10 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
Module 3
GDPR Scope
Identify which tasks fall within the scope of the GDPR
Another key factor to consider is whether the task you are performing is within the
scope of the GDPR.
The GDPR applies to the processing of personal data by controllers and processors
within the EU, regardless of where the data subject resides. It also applies to the
processing of an EU data subject’s personal data by controllers and processors that
are not established within the EU, if this processing is being carried out to provide
services into the EU.
This means that in order to determine whether the GDPR applies to a particular task
we must consider a few elements:
➢ Whether the data being processed is considered to be the personal data of a
living natural person;
➢ Whether the data is collected, held or processed within the EU and, if not,
➢ Whether services are being provided into the EU.
Personal data
The GDPR considers personal data to be any information that can be used to
directly or indirectly, identify an individual. This includes information that is stored
digitally or manually indexed and filed.
In addition to this, the GDPR identifies certain personal data as sensitive. Any data
controller or data processor looking to collect or make use of sensitive data is
required to obtain the data subject’s explicit consent before doing so.
Can you correctly sort the below data?
Name
Economic Data
Religious or Philosophical Beliefs
Biometric Data
Health or Sex Data
Personal Data Medical/Social Care Records
Genetic Data
Sensitive Data Location
Racial and Ethnic Data
Other Trade-Union Memberships
IP Address or Mobile Phone ID
Credit Card Details
Political Opinions
11 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
All of this data is considered personal data because it can be used, either directly or
indirectly, to identify a data subject.
However, elements such as medical/social care records, genetic data, biometric
data, racial or ethnic data, political opinions, religious or philosophical beliefs, trade-
union memberships and health or sex data fall into the special category of sensitive
data.
This provides data subjects with enhanced protection under the GDPR.
Now that you have a better idea of what constitutes personal and sensitive data, look
at the scenarios that follow and determine whether the particular task is within the
scope of the GDPR.
Remember, the GDPR is applicable to:
• Any personal data of a living natural person that is collected, held or processed
within the EU regardless of the location of the data subject; and
• Any personal data that is collected, held or processed outside the EU, if done for
the purposes of providing services into the EU.
12 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
Scenario 1 of 4
You work for a telecommunication company that operates in the EU. Your marketing
team is conducting customer research to determine the purchasing trends of EU
customers based on their demographic.
You are responsible for Collecting and consolidating the survey information with the
aim of informing future marketing strategy.
Do you need to comply with the GDPR when carrying out this task? Yes/No
When determining whether the GDPR applies to a particular task you must consider
• Whether the data being process is considered to be personal data of a living
natural person
• Whether the data is collected, held or processed within the EU, and, if not,
• Whether services are being provided into the EU
In this scenario, the survey information you are collecting and consolidating is
considered personal data as it can directly identify the data subjects, who are living
natural individuals
Your organisation is the data controller and processor and is based within the EU,
which together with the personal data being processed, makes the GDPR applicable
here.
13 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
Scenario 2 of 4
Last year you launched your own business providing consulting services to large
corporate clients throughout the EU.
Your company has gone from strength to strength since you launched and it is now
time to upgrade your branding to align with your professional offering.
You approach a local graphic design company based in the EU for assistance
updating your logo.
Does the graphic design company need to adhere to the GDPR when working with
your logo? Yes/No
When determining whether the GDPR applies to a particular task you must consider
• Whether the data being process is considered to be personal data of a living
natural person
• Whether the data is collected, held or processed within the EU, and, if not,
• Whether services are being provided into the EU
Although your business, as the data controller, and the graphic design company, as
the data processor, are both based in the EU, intellectual property (such as the logo)
is not considered personal data.
Additionally, the logo can only be used to identify your business, which in its own
right, is not considered a data subject and not protected by the GDPR.
14 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
Scenario 3 of 4
You work for an EU based company that provides payroll solutions to organisations
looking to outsource this function.
One of the accounts you’re in charge of is headquartered in the USA. The head
office provides you with the payroll information for the EU arm of its business, which
you then run at month end
Is the GDPR applicable for this payroll run? Yes/No
The payroll information in this scenario is considered personally identifiable and your
company, as the data processor, is based in the EU. This makes the GDPR
applicable here despite the data controller being in the USA.
15 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
Scenario 4 of 4
Your company, based in Canada, sells business literature online to organisations
around the world. You use a local Canadian courier service to deliver the literature to
your customers, promising delivery within five working days worldwide.
You have just received an order from an individual within the EU which you must
take payment for and process
When processing this order, do you have to pay specific attention to GDPR
stipulations? Yes/No
You the data controller, and the courier company, as the data processor, are both
based in Canada meaning the personal data is held outside the EU, but because you
are providing services to a data subject within the EU, the GDPR still applies
Having been through these scenarios you should have a clearer picture of when a
particular task is within the scope of the GDPR.
To recap, a task is within the scope of the GDPR when:
✓ The data being processed can be used, either directly or indirectly, to identify a
living natural person; and
✓ The data is collected, held or processed within the EU; or
✓ The data is being used to provide services into the EU
16 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
Module 4
GDPR Principles
Examine the GDPR’s data protection principles
GDPR Principles
The GDPR identifies seven principles that should be applied when personal data is
collected or processed.
Principle 1
Processed lawfully, fairly and transparently
This means ensuring that you have met the conditions to process personal and
sensitive data. You have obtained consent to process personal data or explicit
consent for sensitive data.
When collecting personal data you should also inform the data subject who you are,
how the data will be processed and if the data will be disclosed to any other parties.
Principle 2
Collected for specified, explicit and legitimate purposes
You must only collect personal data for legitimate and specified reasons, and you
must inform the data subject of these reasons
Personal data may, however, be archived in the public interest, for scientific or
historical research purposes or for statistical purposes.
Principle 3
Adequate, relevant and limited to what is necessary for processing
Make sure you only collect enough data as is necessary for processing, You should
not collect more personal data than you need to meet your processing requirements.
17 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
Principle 4
Accurate and kept up to date
You must take reasonable steps to ensure personal data is accurate and kept up to
date.
This includes amending or erasing personal data when it is found to be inaccurate,

or when a data subject informs you of any changes.
Principle 5
Kept I a form that allows the identification of data subjects only as long as necessary
for processing
Personal data must only be kept in an identifiable form for as long as necessary for
its intended purposes. We should have a data retention policy that identifies when
particular records may be destroyed and a systematic way of doing so.
Personal data may, however, be stored for longer periods if archived in the public
interest, for scientific, historical research and statistical purposes or for legal
requirements.
Principle 6
Processed in a manner that ensures its security
Using appropriate technical and organisational measures, personal data must be

kept secure to:
• Ensure protection against unauthorised or unlawful processing; and
• Prevent accidental loss, damage or destruction.
Accountability
The data controller is responsible for demonstrating compliance with the GDPR’s
data protection principles and must therefore ensure that any data processors have
measures in place to enable compliance with the GDPR. If there is a breach,
however, both the data controller and the data processor are liable.
18 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
This makes it important to specify responsibilities and liabilities in any contractual

arrangements between data controllers and data processors.
NB: The ISO 27001 standard is internationally recognised as an effective way of
demonstrating that the appropriate technical and organisational measures
have been implemented.
GDPR Principles in Action

Let’s have a look at an example of these data protection principles in action. Read
the scenario below and click on each button to see how the GDPR principles were
implemented.
A financial advisory firm called FS Administrators provides specialist financial
services to customers throughout the EU, As part of these services, FS
Administrators provides its customers with a web portal through which they can
monitor their portfolios and perform certain actions.
As a small and specialised company, FS Administrators does not have the in-house
expertise to run and maintain its customer web portal, so has entered into an
agreement with an IT company called WebManage to do this on its behalf.
Customers are required to create an online profile for the web portal before being
able to use it. To do this, they need to provide certain personal data.
19 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
Principle 1 Processed lawfully, fairly and transparently

Before creating a web portal profile, the customer is required to read a fair
processing notice.
This notice provides information that is relevant o the collection and processing of
their personal data, including information on FS Administrators and what will be done
with their personal data. This includes informing them that WebManage will be
collecting and processing the information.
Consent to collect and process their personal and sensitive data is then obtained
from the customer.
Principle 2 Collected for specified, explicit and legitimate purposes

The fair processing notices the customer is required to read before creating their
web portal profile also specifies the purpose for which their personal data is being
collected.
The personal data is then only used for these purposes.
Principle 3 Adequate, relevant and limited to what is necessary for

processing
During the process of creating the web portal profile, FS Administrators and
WebManage have made sure that they only collect the information necessary to
identify the customer and provide them with their portfolio information.
Principle 4 Accurate and kept up to date

In order to keep customers’ personal data accurate and up to date, each customer is
asked to review and confirm the accuracy of their personal data on a yearly basis
when logging into the web portal.
Any requested changes are routed, along with the necessary proof, to WebManage,
which then makes the amendment accordingly.
20 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
Principle 5 Kept in a form that allows identification of data subjects only as

long as necessary for processing
FS Administrators and WebManage have put in place a data retention policy that
required any web portal profiles and the related personal data records that have
been inactive for more than 24 months to be suspended, encrypted and archived.
The policy also outlines the processes to be followed when doing this, as well as the
processes to follow when erasing and sestroying any web portal profiles and
personal data records for individuals who are no longer customers of FS
Administrators.
Principle 6 Processed in a manner that ensures security

Both FS Administrators and WebManage have taken steps to ensure that they have
the necessary technical and organisational measures in place to secure customers’
personal data against unauthorised or unlawful processing and accidental loss,
damage or destruction.
There are relevant contractual arrangements in place outlining the responsibilities
and liabilities of each party and both are ISO 27001 certified
21 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
Module 5
Applying the GDPR
Practical Information on applying the GDPR
We have covered the concepts behind the GDPR and you should have a better idea
about why it is been implemented, the different roles involved, and the scope and
principles of the GDPR.
But what do you actually have to do?
22 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
Collecting and processing personal data

1. What are our legal obligations as a data controller?
As a data controller, you are required to abide by the six data protection principles
when performing tasks that fall within the scope of the GDPR.
You must make sure that any personal data is:
i. Processed lawfully, fairly and transparently

Inform the data subject of who you are, how their personal data will be processed
and whether another party will be part of this process (data processors). This is
usually done in a fair processing notice when you collect the data. Your fair
processing notice can take different forms depending on the method used to collect
the data, e.g. verbally over the phone, on a printed form, CCTV notice.
You must ensure that you meet the necessary conditions to collect and process any
personal or sensitive data that you require. The best way to do this is to obtain
active, positive consent to collect and process personal data and explicit consent for
sensitive data.
ii. Collected for specified, explicit and legitimate purposes

Inform the data subject the reason for collecting and processing their personal data.
You can do this as part of the fair processing notice you provide.
iii. Adequate, relevant and limited to what is necessary for processing

Collect only the data that is absolutely necessary for carrying out your particular task.
You can only use this data for this specific task. If you want to use it for any other
purposes you must obtain further consent from the data subject.
iv. Accurate and kept up to date

Make sure that any personal data you collect is accurate and kept up to date as far
as possible.
This may involve asking the data subject to confirm their personal data from time to
time, and updating or erasing the data you have on record to reflect changes
reported by the data subject.
23 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
When you no longer need to keep records up to date, you’ll probably no longer need
to keep the data.
v. Kept in a form that allows the identification of the data subjects only as
long as necessary
The personal data you collect must be kept in a format that allows the data subjects
to be identified only for as long as it is needed for carrying out your task. Encrypting
or hashing (coding) this personal data does not remove this requirement, you must
still dispose of data when it is no longer needed. However, encrypting or hashing the
personal data you hold is encouraged as it improves security and data breaches
involving encrypted or hashed data do not need to be reported to the data subject.
Your organisation’s data retention policy determines when a particular data records
should be destroyed and how this is to be done. Any personal data that is no longer
required should be disposed of in accordance with this policy.
vi. Processed in a manner that ensures its security.

You organisation is required to have security measures in place to keep data
subjects’ personal data safe. These encompass both technical and organisational
measures, and are aimed at protecting against the unlawful and unauthorised
processing of data and the prevention of loss, damage and destruction.
Examples of security measures are:

• Documented policies and procedures;
• Access controls;
• Audits;
• Username and password rules; and
• User training
2. What are our legal obligations as a data processor?

Data processors are required to carry out certain processing tasks in accordance
with the specific instructions of the data controller. These instructions will be set out
in the contractual agreement between your organisation and the data controller.
24 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
In carrying out these instructions, your organisation must abide by the same GDPR
data protection principles as the data controller.
3. What are the data subjects’ rights under the GDPR?
The GDPR provides data subjects with more control over their data as well as a
better understanding of what their data is being used for.
As a result data subjects have certain data protection rights under the GDPR that, if
infringed, allows the data subject to take legal action against data controllers and
data processors, and seek compensation for damages.
Make sure you abide by these rights when collecting or processing personal data:
a) The right to be informed

Be transparent when collecting personal data so that data subjects understand how
you intend to use their data. This is usually done in a fair processing or privacy
notice that provides information relevant to the processing of this data.
You must provide information on:
• The identity and contact details of the data processor;

• The purpose and legal basis for processing the data;
• How the data is to be processed;
• The parties involved in processing the data; and
• How long the data will be kept.
b) The right of access

Data subjects have the right to access their personal data. In this way they are able
to determine what personal data is held and how it is being processed.
The way data subjects do this is by submitting a subject access request (SAR),
which you are required to respond to within a month.
25 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
c) The right to rectification

Data subjects have the right to request that any personal data held is rectified if it is
found to be inaccurate or incomplete.
You must comply with requests for rectification within a month of receiving them.
d) The right to restrict processing

In some circumstances, you may be required to restrict the processing of a data
subject’s personal data. This means that you cannot process this personal data, but
you are permitted to store it.
You must restrict processing when:

• A data subject contests the accuracy of their personal data and restrict
processing until the data’s accuracy can be verified;
• A data subject has objected to the processing of their personal data and restrict
until legitimacy can be determined;
• Processing is unlawful and the data subject requests that processing be
restricted instead of their personal data being erased; or
• You no longer need the personal data but the data subject requires the data for a
legal claim.
e) The right to object

Inform data subjects of their right to object to the processing of their personal data at
the time of collection. If you receive an objection you must immediately stop
processing the personal data unless:
• You can demonstrate overriding legitimate reasons for continuing the processing;
or
• Processing is required for a legal claim.
The processing of personal data for direct marketing purposes must always be
stopped when an objection is received and there is no grounds to refuse these types
of objections.
f) The right of erasure ( right to be forgotten)
Data subjects have the right to request that their personal is deleted or removed if:
• The personal data is no longer needed for processing;
26 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
• Consent is withdrawn;
• The data subject objects to the processing and there is no overriding legitimate
reason for continuing the processing;
• The personal data was unlawfully processed; or
• The personal data must be erased to comply with a legal obligation
This requires you to not only erase the personal data but also to take steps, to the
best of your ability. To erase any publicly available personal data. Your data
protection authority will most likely look for evidence that you have followed the
appropriate technical and procedural measures t erase this data.
g) The right to data portability
The data subject has the right to request a copy of the personal data you hold on
them. They may also request that this data be sent to another data controller.
You must share this data in a format useable by the data subject or data controller,
and you should therefore determine this before supplying the data.
h) Right in relation to automated decision- making and profiling

The GDPR provides protection for data subjects against the risk of a potentially
damaging decision being made without human intervention and the use of their
personal data in profiling or predictive measures.
As a result. When processing automated decision-making, you must ensure that
data subjects are able to:
• Obtain human intervention;
• Express their point of view; and
• Obtain an explanation of the decision and challenge it.
4. What are the preconditions for processing personal and sensitive data?
In order to process personal and sensitive data legally, you are required to meet
certain preconditions.
a) Personal Data Preconditions

Personal data can be processed if any of the following preconditions have been met:
• You have the consent of the data subject;
27 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
• There are contractual or legal reasons, e.g. the performance of a contract to

comply with the data controller’s legal obligation;
• You are protecting a legitimate interest, e.g. the interests of the data subject or in
pursuit of the data controller’s legitimate interest, unless it infringes upon the data
subjects interests, or
• It’s for a public body and in the public interest, i.e. the administration of justice,
parliamentary, or governmental function, or ordered by the secretary of state.
b) Sensitive Data Preconditions
• You have the explicit consent of the data subject;

• There are legal or employment reasons, e.g. performing employment rights or
obligations, legal proceedings, obtaining legal advice or exercising legal rights
• To protect the vital interests of the data subject
• It’s for the public good. e.g., administration of justice, government functions,
medical purposes, equality research or ordered by the secretary of state; or
• You are a non-profit body with the appropriate safeguards.
5. How do we obtain consent/explicit consent when processing personal and

sensitive data?
In most cases, you have to have a data subject’s consent in order to process their
personal data. There are circumstances in which consent is not necessary but these
normally involve legal requirements or where a data subject has provided consent
through a contract with a third party.
As a data controller, you must
✓ Obtain clear and unambiguous consent;

✓ Obtain explicit consent for any sensitive data being processed;
✓ Obtain consent for each processing activity; and
✓ Allow data subjects to remove consent.
But what is the difference between consent for ‘normal’ personal data and explicit
consent for sensitive data?
To obtain consent(non-explicit), you must disclose the purpose, processes and
parties involved with the processing of personal data as well as the duration the data
28 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
will be retained (usually done in the form of a fair processing notice), and obtain clear
acceptance and agreement from the data subject.
Explicit consent is required when processing sensitive data and involves providing all
the details required for (non-explicit) consent but in greater detail in order to provide
the data subject with full understanding and control of the processing of their
sensitive data and the implications thereof.
Any documentation you use to obtain consent must be laid out in simple terms and
must be clear, concise and not unnecessarily disruptive to the service being used.
You must ensure that you follow exactly the internal procedure laid down for you in
terms of dealing with sensitive data.
6. How do we handle access requests made by the data subject?
The GDPR gives data subjects the right to see what information you hold on them.
This is done through a subject access request (SAR), which your qrganisation must
comply with within one month or risk monetary penalties.
There are certain requirements that you must follow when responding to an SAR. If
you receive a request for data held by the organisation, refer to your organisation’s
subject access request procedure, which outlines the necessary steps and
information you must provide.
The procedure will require you to provide information such as:

➢ The type of personal data held;
➢ The purpose of processing this personal data;
➢ Details of third parties that may be involved in processing;
➢ The duration this personal data will be stored; and
➢ How to request amendments or erasure of personal data.
7. How do we handle a data subject’s request to rectify or erase personal data?
Data subjects have the right to request that any personal data that you hold on them
is amended or, in some circumstances, erased.
If you receive a request to amend personal data (such as an address) you should
refer to your organisation’s relevant procedure to determine the necessary steps.
29 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
If a request to erase persona data is received, you should refer to your organisation’s
data retention policy to determine the appropriate action. This policy indicated when
and how data records should be securely destroyed.
8. What steps should be taken when providing any personal data?

When providing personal data to anyone, whether inside or outside the organisation,
you should refer to your organisation’s documented procedures for guidance, but it’s
important to determine:
➢ If you are allowed to share this personal data under the GDPR
➢ Who the person or company is that is requesting the personal data (and if they
are who they say they are);
➢ What they require the personal data for; and
➢ Whether the data subject is aware of this request and if they have consented to
their personal data being shared for this purpose.
9. What personal data can be given to someone who is related to the data subject?
The GDPR does not permit you to share personal data with anyone who is not the
data subject or a valid data processor other than where dealing with someone under
the age of 13.
10. What personal data can be shared within my organisation
You can use or share any personal data within your organisation if it is required to
carry out a particular processing task and consent has been obtained for this specific
purpose.
11. Can copies of my employment references (given or received) be provided to the

data subject?
If you have requested and received an employment reference and the data subject
has requested a copy, you should provide this information. In this context, you are
the data controller and the request would constitute a subject access request (SAR).
Your organisation’s relevant SAR procedure should be followed accordingly.
If you have provided an employment reference to another employer, you are not
obliged to provide the data subject with a copy of this reference.
30 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
12. What personal data can be shared with the general public?
Personal data may not be shared with the general public, unless consent has been
provided by the data subject.
13. Can personal data be provided for mortgages/rental references?
A data subject’s personal data can be provided to data processors performing

mortgage or rental references, as long as the data that is being requested is relevant
to the process of performing the reference.
14. What format should copies of personal data be provided in?

Under the GDPR, the data subject is allowed to request that personal data be
provided in a format that is usable by them. You should determine what format would
best suit the data subject before providing them with the information they have
requested.
15. Can personal data be transferred outside the EU?
Data processors or data controllers can transfer personal data outside the EU and
EEA to certain countries or international organisations that are recognised by the EU
Commission as long as these actions do not contravene the GDPR.
16. Can personal data be used for marketing purposes?

Personal data may not be used for marketing purposes unless you have obtained
consent from the data subject specifically for this purpose.
31 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
Requesting Personal Data

1. Can we request medical information on a data subject?
Medical information is considered personal data and its use is governed by the
GDPR
This means that if you want to request medical information on a particular data
subject, you must either obtain consent from the data subject themselves or require
the information for contractual reasons or protection of a legitimate interest.
The data may then only be used for this specific purpose.
2. Can we request employment references on a data subject?
You are allowed to request an employment reference on an individual.
32 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
Minors and the GDPR

1. What is considered a minor under the GDPR?
Anyone who is 16 years of age or younger is considered a minor under the GDPR,
although the GDPR does allow EU member states to lower the age as long as it is
not below 13.
2. What consent is required to process the information of a minor?
To process the personal data of any data subject who is 16 years of age or younger,
you will need to obtain consent from a parent or guardian.
Parental or guardian consent is not required if processing is related to preventive or

counselling services offered directly to the minor.
NB: The GDPR highlights the importance of protecting minors’ personal data when
this information is used for the purposes of marketing and creating online profiles.
33 | P a g e
Organisation Name
Classification_3
Issue No:
Issue Date:
Data Breaches and Security Incidents

1. How do I report a data breach?
A data breach is defined by the GDPR as a breach of security that leads to the
destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
Any breaches that result in a risk to the rights and freedom of a data subject must be
reported to the supervisory authority by the data controller within 72 hours of the
data controller becoming aware of the breach. If the breach is likely to result in a high
risk to the rights and freedoms of the data subject, the data controller must also alert
the data subject without undue delay.
If the data processor becomes aware of a data breach, they must alert the data
controller, who is responsible for reporting the breach.
If you are aware of a breach, consult the person in charge of data protection for your
organisation and the breach reporting procedure to determine who should be notified
and how.
Your procedure will require that the following information be included when reporting
a data breach:
✓ What the breach was and how it occurred;

✓ The measures that have been taken to prevent future breaches; and
✓ The action taken to mitigate the possible effects of the breach.
✓ If the organisation doesn’t make this report within 72 hours of the breach,
34 | P a g e
Organisation Name
Classification_3

GDPR Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GDPR Guide

Uploaded by

Copyright:

Available Formats

2017

General Data Protection

GDPR Awareness Training

There are six modules in this course:

5. Applying the GDPR

❖ 1983 Article 8 ECHR

❖ 1985 Convention for Protection of Individuals with regard to Automatic

❖ 1985 Data Protection Directive (DPD)

❖ 2016 General Data Protection Regulation

In a nutshell, the GDPR brings:

❖ Must be reported within 72 hours

Data Subject A natural person whose data is held and who is

John Smith Data Subject

Hackney Council Data Subject

Hackney Council Hackney Council is the data controller in this

Can you identify the data protection roles in this scenario?

Savings Corp Data Subject

Savings Corp Savings Corp. is the data controller in this scenario as it

Is the GDPR applicable for this payroll run? Yes/No

Examine the GDPR’s data protection principles

Processed lawfully, fairly and transparently

Collected for specified, explicit and legitimate purposes

Adequate, relevant and limited to what is necessary for processing

Accurate and kept up to date

This includes amending or erasing personal data when it is found to be inaccurate,

Processed in a manner that ensures its security

Using appropriate technical and organisational measures, personal data must be

This makes it important to specify responsibilities and liabilities in any contractual

GDPR Principles in Action

Principle 1 Processed lawfully, fairly and transparently

Principle 2 Collected for specified, explicit and legitimate purposes

Principle 3 Adequate, relevant and limited to what is necessary for

Principle 4 Accurate and kept up to date

Principle 5 Kept in a form that allows identification of data subjects only as

Principle 6 Processed in a manner that ensures security

Collecting and processing personal data

You must make sure that any personal data is:

i. Processed lawfully, fairly and transparently

ii. Collected for specified, explicit and legitimate purposes

iii. Adequate, relevant and limited to what is necessary for processing

iv. Accurate and kept up to date

vi. Processed in a manner that ensures its security.

Examples of security measures are:

2. What are our legal obligations as a data processor?

3. What are the data subjects’ rights under the GDPR?

a) The right to be informed

You must provide information on:

• The identity and contact details of the data processor;

b) The right of access

c) The right to rectification

d) The right to restrict processing

You must restrict processing when:

e) The right to object

f) The right of erasure ( right to be forgotten)

• The personal data is no longer needed for processing;

g) The right to data portability

h) Right in relation to automated decision- making and profiling

a) Personal Data Preconditions

• There are contractual or legal reasons, e.g. the performance of a contract to

b) Sensitive Data Preconditions

• You have the explicit consent of the data subject;

5. How do we obtain consent/explicit consent when processing personal and

As a data controller, you must

✓ Obtain clear and unambiguous consent;