Guide to the G eneral D ata P rotection R …

Data protection

Guide to the General Data Protection Regulation (GDPR)

Introduction What's new Key definitions What is personal data? Principles Lawfulness, fairness and transparency Purpose limitation Data minimisation Accuracy Storage limitation Integrity and confidentiality (security) Accountability principle Lawful basis for processing Consent Contract Legal obligation Vital interests Public task Legitimate interests Special category data Criminal offence data Individual rights Right to be informed Right of access Right to rectification Right to erasure Right to restrict processing Right to data portability Right to object Rights related to automated decision making including profiling Accountability and governance Contracts Documentation Data protection by design and default Data protection impact assessments Data protection officers Codes of conduct Certification Guide to the data protection fee Security Encryption Passwords in online services Personal data breaches International transfers Exemptions Applications Children

02 August 2018 - 1.0.248

3 5 9 10 14 17 21 26 31 39 47 48 49 59 64 68 72 75 80 86 89 91 92 100 110 116 122 128 139 146 153 163 168 173 185 192 200 203 206 207 220 223 233 241 256 287 288

2

Introduction

Introduction

The Guide to the GDPR explains the provisions of the GDPR to help organisations comply with its requirements. It is for those who have day-to-day responsibility for data protection.

The GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). The main provisions of this apply, like the GDPR, from 25 May 2018.

This guide refers to the DPA 2018 where it is relevant includes links to relevant sections of the GDPR itself, to other ICO guidance and to guidance produced by the EU's Article 29 Working Party - now the European Data Protection Board (EDPB).

We intend the guide to cover the key points that organisations need to know. From now we will continue to develop new guidance and review our resources to take into account what organisations tell us they need. In the longer term we aim to publish more guidance under the umbrella of a new Guide to Data Protection, which will cover the GDPR and DPA 2018, and include law enforcement, the applied GDPR and other relevant provisions.

Further reading Data protection self assessment toolkit

For organisations

For a more detailed understanding of the GDPR it's also helpful to read the guidelines produced by the EU's Article 29 Working Party ? which has now been renamed the European Data Protection Board (EDPB). The EDPB includes representatives of the data protection authorities from each EU member state, and the ICO is the UK's representative. The ICO has been directly involved in drafting many of these. We have linked to relevant EU guidelines throughout the Guide to GDPR.

We produced many guidance documents on the previous Data Protection Act 1998. Even though that Act is no longer in force, some of them contain practical examples and advice which may still be helpful in applying the new legislation. While we are building our new Guide to Data Protection we will keep those documents accessible on our website, with the proviso that they cannot be taken as guidance on the DPA 2018.

We previously produced an Introduction to the Data Protection Bill as it was going through Parliament. We will update this document to reflect the final text of the DPA 2018 and publish it

02 August 2018 - 1.0.248

3

as soon as possible.

We also published a guide to the law enforcement provisions in Part 3 of the Data Protection Bill, which implement the EU Law Enforcement Directive. We will update this to reflect the relevant provisions in the DPA 2018.

02 August 2018 - 1.0.248

4

What's new

We will update this page monthly to highlight and link to what's new in our Guide to the GDPR. September 2018 We have expanded our guidance on Exemptions. August 2018 We have expanded our guidance on International transfers. May 2018 The European Data Protection Board (EDPB) has published draft guidelines on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 for consultation. The consultation will end on 12 July. We have published detailed guidance on children and the GDPR. We have published detailed guidance on determining what is personal data. We have expanded our guidance on data protection by design and default, and published detailed guidance on automated decision-making and profiling. We have published a new page on codes of conduct, and a new page on certification. We have published detailed guidance on the right to be informed. We have published detailed guidance on Data Protection Impact Assessments (DPIAs). We have expanded the pages on the right of access and the right to object. We have published detailed guidance on consent. We have expanded the page on the right to data portability. April 2018 We have expanded the page on Accountability and governance. We have expanded the page on Security. We have updated all of the lawful basis pages to include a link to the lawful basis interactive guidance tool. March 2018 We have published detailed guidance on DPIAs for consultation. The consultation will end on 13 April 2018. We have also updated the guide page on DPIAs to include the guide level content from the detailed guidance. We have published detailed guidance on legitimate interests. We have expanded the pages on:

02 August 2018 - 1.0.248

5

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download