On 25 May 2018 the General Data Protection Regulation (GDPR) comes into force and all processing of personal data taking place on or after that date must be compliant with it. Below is part 2 of a report authored by Veale Wasbrough Vizards (VWV) in partnership with the CDRC on how GDPR will impact upon social science research.
Summary of the Overarching GDPR Principles
There are 7 overarching principles of data processing under the GDPR and these are each summarised below. Definitions of defined terms can be found in the glossary above.
Principle 1. Lawfulness, fairness and transparency
All processing of personal data must have a lawful basis. There are two sets of grounds which can be used to justify processing. One set of grounds covers special category personal data and another covers all other personal data.
For all personal data that is not special category personal data there are six lawful bases available. The most likely to be applicable for research activities are:
- the processing is necessary for the performance of a task carried out in the public interest;
- the data subject has provided consent; and
- the processing is necessary for the purposes of the legitimate interests of the data controller or a third party and the interests of the data subject are not overridden.
For special category personal data, processing for research purposes is permitted so far as
(i) one of the six non-special category personal data lawful bases applies;
(ii) the essence of the data protection rights is respected and (iii) suitable safeguards and protections are put in place.
Fairness and Transparency of Processing
The GDPR requires data controllers to identify:
- the different categories of personal data which they process;
- the purposes for which that processing is carried out; and
- the lawful basis for each processing
The GDPR obliges data controllers to provide data subjects with certain information about how their personal data will be used. This includes:
- the data controller’s identity and contact details;
- the personal information held about the data subject;
- how personal information is collected from the data subject;
- the purpose of the processing;
- the lawful basis/bases being used to justify the processing;
- who personal data will be shared with;
- the duration for which the personal data will be retained;
- whether personal data will be transferred outside the EEA; and
- the data subject’s right to complain to the ICO.
Typically, the above information is communicated to the data subject in the form of a transparency notice, which may be made up of several documents (or electronic notices), each of which is given at the relevant time.
Principle 2. Purpose Limitation
The GDPR requires that personal data only be collected and processed for specific, explicit and legitimate purposes and not further processed in any way that is incompatible with those original purposes.
Please see questions relating to the treatment of personal data processed for research purposes in the FAQ section of this guidance.
Principle 3. Data Minimisation
The principle of data minimisation requires that personal data only be processed if it is accurate and relevant to the purpose for which it is processed. Personal data should also only be processed to the extent that it is necessary in relation to the processing purpose.
Principle 4. Accuracy
Every reasonable step should be taken to ensure that personal data is accurate and where necessary kept up to date. Every reasonable step should be taken to ensure that inaccurate data is deleted or rectified.
Principle 5. Storage limitation (i.e. retention of personal data)
As part of the Principle of Data Minimisation (see above), the GDPR states that personal data should be kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which personal data is processed.
Data Controllers should decide upon a retention policy for different categories of personal data and be transparent about the criteria used to determine any retention period that cannot be specified when the data is collected.
Principle 6. Integrity and Confidentiality
Personal data must be subject to appropriate security and protected against any unauthorised or unlawful processing.
Appropriate technical and organisational measures should be adopted to protect personal data against accidental loss, destruction or damage.
Principle 7. Accountability
Data controllers are responsible for their own compliance with Data Protection law and the GDPR states that they must be able to demonstrate their compliance. To this end, the GDPR places data controllers under an obligation to keep written records of their processing activities