Please enable JavaScript.
Coggle requires JavaScript to display documents.
UK GDPR - Coggle Diagram
UK GDPR
-
Organisations must have valid grounds under UK GDPR for collecting and using personal data. There are six categories of lawful basis
Consent
-
Deemed consent, use of pre ticked check boxes or opt out are no longer permitted options to obtain cosnent
Organisations will need to ensure their systems can demonstrate how and when explicitly consent was obtained in order to justify why they hold data on any individual
-
Contractual obligations
Any processing of personal data required to fulfil a contractural obligation or in antiquation of a contractual obligation, such as providing a quote, is permitted under UK GDPR provided there is no alternative way to meet the obligation without requiring the personal data to be processed
Legal obligations
Processing of personal information is permitted if the organisation undertaking it is doing so in order to meet a legal obligation
For all companies this permitted use applies to maintaining statutory records and filing personal information when filing forms such as the confirmation statement with the Registrar
Vital interests
This usage has limited use in everyday situations as it permits processing of personal data necessary to protect someones life, who need not be the person whose data needs processing
Public task
Processing of personal data is permitted by organisations in order to carry out a task in the national interest or the exercise of an official authority, including administration of justice, exercising the function of the Crown or a government department
Legitimate interests
This category provide the most flexibility to the data controller or data processor as it permits the processing of data necessary fo the legitimate interests of the data controller or by a third party, except where the fundamental rights and freedoms f the data subject require the data to be protected
-
-
-
There are no formal fixed rules but organisations controlling or processing personal data need to design their procedures and policies within the context of te principles and be prepared to justify how adherence to any particular principle is met
There are very few exceptions but to these principles, but among the ones that are permitted are certain activities including processing for national security purposes and processing carried out by individuals purely for personal/household activities
-
UK GDPR places new specific legal obligations on data processors including a requirement to maintain records of personal data and processing activities. Data processors have significant more legal liability if they are responsible for a breach
Data controllers are also subject to additional obligations, in particular where a controller used the services of a third party data processor the data controller must ensure that the service contractor carried out the processing activities in compliance with UK GDPR whether those activities are carried out within or outside the UK
UK GDPR applies to personal data, however UK GDPRs definition has been much more widely drawn than the previous legislation and makes it clear that any information that identifies a person can be personal data. This wider definition now encapsulates not only email address data but also an IP address
For most organisations keeping HR records, customer lists or contact details, the change to the definition should make little protection difference
Simpel identification alone is not enough to be covered by UK GDPR, the information must relate to the person in some way such as identifying them as an employee, or resident in building etc