Seven Principles for data processing are set out in GDPR.
They govern the way Data Controllers are supposed to treat the personally identifiable information they use in their business.
Any kind of personal data used by your business must be processed in accordance with the guidelines of GDPR. Your business also needs to specify the reasons why it is processing Personal Data.
This means you need to have at least one lawful reason for processing Personal Data. If you don’t have at least one lawful reason your business is in breach of GDPR.
Helpfully, GDPR identifies six lawful reasons for you to choose from:
In reality, hotel businesses are likely to make use of the first two on that list. Your business will need Consent from the Data Subject as the bare minimum (we will take a closer look at what Consent means shortly – under GDPR it is different to what you might have been used to under the old Data Protection Act). It is best if you’re able to cite two lawful reasons for processing data.
Your other lawful reason for processing personal information will probably be for the “performance of a contract”. Again, we’ll consider this in a bit more detail shortly.
Occasionally you may be able to use “compliance with a legal obligation”. Using the terms of the liquor licensing law for example.
“Safeguarding the vital interests of a Data Subject” might become relevant when handling certain aspects of employee data. But you really need to seek a qualified legal opinion in each case.
Don’t get too carried away by the apparent “catchall” condition noted in item 6. The legitimate interests of your business as the Data Controller will often be trumped by the legitimate interests of the Data Subject. If you’re going to use this condition to claim lawful processing you really need to have a good legal opinion behind you. This opinion might be based on your completion of a “Legitimate Interests Assessment” in which you weigh the interests of your business against the rights of the personal data owner. Currently the working group notes Legitimate Interest as a possible legal grounds for processing data for marketing purposes. Your business does have an obligation to find new customers and there are reasonable grounds for you to be able to contact prospective and previous customers under certain conditions. Your “Legitimate Interests Assessment” (LIA) should identify your reasoning for why you are contacting people and how you will protect their rights. It is not enough to attack a mailing list with a marketing promotion then retrospectively claim “legitimate interest”. It needs to be part of your plan. These conditions have been designed to be easier to comply with than “get around”.
Personal data must always be kept up to date. There is a risk to the Data Subject if you hold out of date or inaccurate information about them.
So you need to make sure that out of date or inaccurate data is either removed or rectified promptly.
You can only use the data you collect for the intended and explicit purpose – which is what data Subjects will grant you Consent for or will define your lawful right to process. You are not allowed to use or process PII data for any other purpose. Unless you get informed consent for that new purpose.
There will be a time limit imposed for how long you can store PII.
How long do you really need to keep PII data for?
There may be requirements to hold certain types of data for financial audit or tax purposes. This will be acceptable under GDPR as long as the data is held securely. Otherwise you will need to be clear about the conditions under which you will store PII and for how long.
You should only collect and use the data you really need. This should be identified in your process flows and designs. If you don’t use it, why do you need to collect it? Holding PII data means you have a responsibility to look after it. That responsibility carries with it a risk if there is a breach. So why would you want to collect stuff you don’t need that could pose a risk to you and your clients?
PII data needs to be safe and only accessed in an authorised way.
GDPR recognises the fact that businesses come in all shapes and sizes. From one man bands to multinational conglomerates. So it only insists that security measures are “appropriate”.
In a small business with PII only kept in a notebook or a diary, this might be as simple as ensuring the notebook is kept in a locked drawer when not in use and the Data Controller holds the key or has an “appropriate” way to restrict access.
PII data needs to be protected against unauthorised access, unlawful processing, accidental loss, destruction or damage.
For IT this probably means a robust encryption and backup regime. Your IT department or consultant may want to really go to town on this, but all you need to have is “appropriate” protection. It is up to you to decide what “appropriate” means for your business. Remember it also needs to be adequate for the purpose. So while you try to avoid spending too much on Integrity and Confidentiality, whatever you decide to do must be fit for the purpose.
For paper based business records you need to make sure that they are stored in a safe way. Safe from unauthorised access or accidental destruction for example. So if you have all your daily business records from last year stored in cardboard boxes in a basement cellar – is the cellar locked? Who has access to the keys? What happens if the cellar floods?
It is perfectly valid for you to keep these business records as HMRC might want to inspect them, but the PII they contain is your responsibility. If they are accessed by an unauthorised person or destroyed outwith the terms of your retention policy you may be in breach of GDPR.
Someone is accountable and responsible for how PII data is handled, processed or used. Under GDPR that responsibility flows throughout the processing chain but it is ultimately the responsibility of the Data Controller.
In terms of the Data Controller / Data Processor relationship there will sometimes be some form of shared liability. Both will be responsible for complying with the Principles of GDPR.
This means that if you are a company director YOU are responsible for what happens to the PII your company holds, processes, delegates, uses or loses. In the event of a breach, it is the directors who shoulder responsibility. You can only pass the responsibility on if you have the appropriate set of processes, instructions, contracts and collected evidence in place to prove that you are not at fault.
The accountable person needs to be able to demonstrate to the ICO or a Court how they comply with the Principles.