GDPR - Diary of a Data Champion: Chapter 3
Chapter 3 – Legitimate Purpose and Legal Basis
Before we get into legitimate purpose and legal basis for processing personal data, I can’t help noticing that Facebook is in the news again today for another data breach. If GDPR were applicable in the USA now, Facebook would be in big trouble with the information regulator for failing to notify it and users of this breach in an appropriate way. As noted in the Daily Telegraph Business Section today (18 April 2018), by default, Facebook profiles allow users to ‘tag’ their friends in pictures and status updates and this feature can only be switched off manually by the user. As most users do not change their default settings so the majority who installed a Facebook app, such as a quiz or personality test, exposed most of their friends’ names. So far, Facebook has not revealed how many developers had access to this App or whether it has any evidence of abuse – this is information which Facebook would be required to share under GDPR.
You may recall that in my previous ‘Diary of a Data Champion’ post, I reported that I’d left what I perceived to be the most difficult section until later: identifying the legitimate purposes and legal basis for processing personal data. As I looked at the headings, I felt like a schoolboy facing some difficult homework I’d been putting off and wondered how I was going to make sense of this. As a fellow coach commented to me the other day, this aspect of GDPR left her feeling ‘unhinged’ and I can now understand why!
Seeking an alternative route in, I looked at the FSB (Federation of Small Business) template for the Data Privacy Notice. This was invaluable as it covered much of the same ground and came with detailed guidance on how to complete it. I worked through it steadily and by the end, I was relieved that I’d been able to identify the legitimate purposes and legal bases for processing personal data. As we also process some ‘sensitive personal data’ in the form of health data, we also needed to identify a separate legal basis for that from a different part of the GDPR. Completing the Data Privacy Notice felt like the crux of GDPR: now I’d done this, I simply needed to run it by my colleagues, fill in some of the less important blanks and we would have our Data Privacy Notice. Additionally, I could copy much of this information into our GDPR Register as our record of data processing activities. Our GDPR policies and procedures would then be pretty much complete.
If you are reading this and wonder where you can get some helpful templates and guidance for GDPR, here are some suggestions. You could join the FSB (Federation of Small Business) – it’s a superb non-profit members’ organisation with lots of benefits and I’m a big fan. On GDPR, the FSB has come up trumps. Their GDPR documents are however legally privileged for internal use only and may not be shared with third parties so the only way to gain access to them is to join the FSB. With annual membership fees starting at around £140 this is excellent value. The other alternative is simply to search on line. I googled ‘GDPR Data Privacy Notice Template’ and found lots of good free stuff.
In my next post, I’ll let you know what happens when I get feedback on my draft GDPR policies and procedures from my colleagues.