The UK GDPR 2018 sets out seven key principles of data protection:
- Lawfulness, fairness and transparency.
- Purpose limitation - information has to be collected for a specific and lawful reason.
- Data minimisation - collected data has to be relevant to the purpose.
- Accuracy - data must be accurate and kept up to date.
- Storage limitation - data should be kept for only so long as is necessary. • Integrity and confidentiality (security) - the data should be kept safe.
- Accountability - an organisation should be able to demonstrate how it is complying with the regulations.
7 principles of data protection: A guide to the data protection principles | Information Commissioner’s Office (ICO).
Voluntary and community groups have a legal responsibility to protect personal data. This legal responsibility means that organisations need to take certain steps to ensure they are compliant with the law.
Organisations need to:
- Decide upon a lawful basis for data collection.
- Identify if they are collecting special category data. This is data which is considered more sensitive than others - such as ethnic origin or medical data – and take extra precaution to ensure this data is protected.
- Ensure they do not keep data longer than is necessary.
- Enable individuals to maintain control over their own data – this includes ensuring individuals give informed consent and responding to Subject Access Requests where an individual can request a copy of all information held on them by an organisation.
- Be able to demonstrate the steps they take to ensure they comply with the law. • Ensure that breaches of data security are reported to the ICO.