Below is a summary of the main changes:
It is necessary to identify the appropriate legal basis or bases for each activity which involves the use of personal data. Where special category personal data is being used (e.g. information about health, religion, ethnicity) an additional basis is required.
The ICO has expanded its guidance on the following legal bases:
The ICO has expanded the section on personal data breaches.
A personal data breach is broadly defined as a security incident that has affected the confidentiality, integrity (e.g. accuracy) or availability of personal data.
This section includes two checklists for preparing for and responding to a personal data breach, and provides answers to a number of questions on the topic, including: