- ICO Fee: Controllers need to pay a data protection fee to the Information Commissioner’s Office (ICO) (previously the requirement was to register with the ICO). To see how much you are required to pay, use the ICO assessment tool.
- Article 30 Records: Article 30 UK General Data Protection Regulation (UK GDPR) lists the information that (i) Controllers and (ii) Processors are required to record in writing (electronically is fine). The ICO can request to see these records, so it is important that you have them and that they are up to date.
- DPIA: You must complete a data protection impact assessment (DPIA) if the processing activity you are carrying out is likely to result in a high risk to the rights and freedoms of individuals (i.e. significant physical, material or non-material harm). DPIA’s should be done before the relevant processing starts and kept under review while it continues.
- Breach Records: All personal data breaches must be recorded – even if they are not reported to the ICO. The record must contain (a) facts around the breach, (b) effects of the breach, and (c) remedial action taken.
- Policies: The accountability requirement means that the controller is responsible for and must be able to demonstrate its compliance with the 6 core data protection principles set out in Article 5(1) UK GDPR. In summary these are that personal data is:
- processed in a lawful, fair and transparent manner (lawfulness, fairness and transparency)
- collected for specified, explicit and legitimate purposes and not further processed in a way that is inconsistent with such purposes (purpose limitation)
- adequate, relevant and limited to what is necessary for the purposes it is processed (data minimisation)
- accurate and kept up to date (accuracy)
- kept in a form which permits the data subject to be identified for no longer than is necessary (storage limitation)
- processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).
Documentation wise, one of the key ways to demonstrate your accountability compliance is through your business’ policies (both internally and externally facing), which you would be able to provide to the ICO if and when requested.
If you have any queries regarding our top tips for Subject Access Requests or need help in implementing them do get in touch.
Please feel free to like and share our top tips and check back again tomorrow for our next set of top tips.
Happy Data Privacy Day from the Birketts Data Protection Team.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at January 2021.