The ICO Has Updated the Guide to the General Data Protection Regulation (GDPR)
One of the significant changes to the Guide relates to the bases for processing personal data under the GDPR.
Below is a summary of the main changes:
Legal Basis
It is necessary to identify the appropriate legal basis or bases for each activity which involves the use of personal data. Where special category personal data is being used (e.g. information about health, religion, ethnicity) an additional basis is required.
The ICO has expanded its guidance on the following legal bases:
- Contract
- Legal obligation
- Vital interests
- Public task
Personal Data Breaches
The ICO has expanded the section on personal data breaches.
A personal data breach is broadly defined as a security incident that has affected the confidentiality, integrity (e.g. accuracy) or availability of personal data.
This section includes two checklists for preparing for and responding to a personal data breach, and provides answers to a number of questions on the topic, including:
- What breaches do we need to notify the ICO about?
- What role do processors have?
- What information must a breach notification to the supervisory authority contain?
- What if we don’t have all the required information available yet?
- When do we need to tell individuals about a breach?
- Does the GDPR require us to take any other steps in response to a breach?
- What happens if we fail to notify?