Study Journal 03-10-2023

Published: at 12:00 AM

What I learnt

Things I’ve learnt:

TO DO FOR LATER - Data Privacy Policy

Pulled from the ICO (Information Commission Office) in determining if we can store and process data as below:

How can we apply legitimate interests in practice?

If you want to rely on legitimate interests, you can use the three-part test to assess whether it applies. We refer to this as a legitimate interests assessment (LIA) and you should do it before you start the processing.

An LIA is a type of light-touch risk assessment based on the specific context and circumstances. It will help you ensure that your processing is lawful. Recording your LIA will also help you demonstrate compliance in line with your accountability obligations under Articles 5(2) and 24. In some cases an LIA will be quite short, but in others there will be more to consider.

First, identify the legitimate interest(s). Consider:

  • Why do you want to process the data – what are you trying to achieve?
  • Who benefits from the processing? In what way?
  • Are there any wider public benefits to the processing?
  • How important are those benefits?
  • What would the impact be if you couldn’t go ahead?
  • Would your use of the data be unethical or unlawful in any way?

Second, apply the necessity test. Consider:

  • Does this processing actually help to further that interest?
  • Is it a reasonable way to go about it?
  • Is there another less intrusive way to achieve the same result?

Third, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:

  • What is the nature of your relationship with the individual?
  • Is any of the data particularly sensitive or private?
  • Would people expect you to use their data in this way?
  • Are you happy to explain it to them?
  • Are some people likely to object or find it intrusive?
  • What is the possible impact on the individual?
  • How big an impact might it have on them?
  • Are you processing children’s data?
  • Are any of the individuals vulnerable in any other way?
  • Can you adopt any safeguards to minimise the impact?
  • Can you offer an opt-out?

You then need to make a decision about whether you still think legitimate interests is an appropriate basis. There’s no foolproof formula for the outcome of the balancing test – but you must be confident that your legitimate interests are not overridden by the risks you have identified.

Keep a record of your LIA and the outcome. There is no standard format for this, but it’s important to record your thinking to help show you have proper decision-making processes in place and to justify the outcome. Keep your LIA under review and refresh it if there is a significant change in the purpose, nature or context of the processing.

The last part is the most important - we should have a record of the LIA so we can demonstrate our commitment to adhering to GDPR.

The most common offence under the UK GDPR is breaches of Article 5 - being able to demonstrate the necessity of processing the data. Then the second most common is Article 6 - being able to demonstrate the legal basis for processing the data.

Penalties for non-compliance:

While impossible to determine without specific details - an fine would like be £10,000 - 20,000 for a breach of Article 5, and £20,000 - 30,000 for a breach of Article 6.

Worst case scenario: Data breach for all employees on sensitive information

Impossible but say but a likely scenario could cost us around £250,000 - it’s critical that we get a cyber insurance policy in place before we launch the more sensitive modules like HR, Pay details, etc.

Consider supporting this blog