Personal data is a crucial business asset that must be managed and protected properly
In this digital age, most organisations, in order to function, are entirely dependent on their ability to obtain (collect) and legally use data. As a consequence, the value of most organisations is assessed, to a large degree, by reference to its databases. In reality, much of that data will be personal data, e.g., customer lists. In other words, personal data is a crucial business asset.
But this crucial business asset can only be lawfully processed (collected and used) in compliance with the GDPR. Failure to do that carries significant business risks, which means that personal data must be managed and protected properly.
What is personal data?
This is not always straightforward.
Under the GDPR, personal data is information that relates to an identified individual. What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors. If it is possible to identify an individual directly from the information you are processing, then that information will be personal da
However, personal data is also information that relates to an identifiable individual. This means that
if you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other organisation to identify that individual.
Just to make things even more complicated, even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual.
This means that it is essential that your organisation knows when the data it is processing is personal or non-personal data.
What does ‘managed properly’ mean?
A key principle of the GDPR is ‘accountability’, which makes you responsible not only for complying with the GDPR, but also says that you must be able to demonstrate your compliance. This means there are a number of measures that you can, and in some cases must, take including:
- adopting and implementing data protection policies
- taking a ‘data protection by design and default’ approach
- putting written contracts in place with organisations that process personal data on your behalf
- maintaining documentation of your processing activities
- implementing appropriate security measures (see below)
- recording and, where necessary, reporting personal data breaches
- carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests
- appointing a data protection officer; and
- adhering to relevant codes of conduct and signing up to certification schemes.
Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place. In other words, it’s not a one-off exercise.
The ICO, the UK regulator for data protection which enforces the GDPR, says “If you implement a privacy management framework this can help you embed your accountability measures…”. In other words, the ICO expects all organisations to have in place governance arrangements that enable it to manage the personal data it collects and uses in compliance with the GDPR.
This means that it is essential that your organisation has someone (or access to someone) who will ensure you take the measures detailed above.
What does ‘protected properly’ mean?
Another key principle of the GDPR is that you process personal data securely by means of ‘appropriate technical and organisational measures’. Doing this requires you to consider things like risk analysis, organisational policies, and physical and technical measures.
You also have to take into account additional requirements about the security of your processing – and these also apply to data processors (those third parties that process personal data on your behalf).
Your measures must ensure the ‘confidentiality, integrity and availability’ of your systems and services and the personal data you process within them. The measures must also enable you to restore access and availability to personal data in a timely manner in the event of a physical or technical incident.
You also need to ensure that you have appropriate processes in place to test the effectiveness of your measures and undertake any required improvements.
This means that it is essential that your organisation knows what appropriate technical and organisational measures it must have in place.
Written by Robert Wassall
Robert Wassall is a solicitor, expert in data protection law and practice and a Data Protection Officer. As Head of Legal Services at NormCyber Robert heads up its Data Protection offering and advises organisations across a variety of industries. Robert and his team support them in all matters relating to data protection and its role in fostering trusted, sustainable relationships with their clients, partners and stakeholders.