GDPR Archives - L2 Cyber Security Solutions

Legal Basis for Processing

Liam — Fri, 14 Apr 2023 14:44:07 +0000

The General Data Protection Regulation (GDPR) outlines the conditions under which there is a legal basis for processing personal data.

Download Detailed Guidance Here

The Six Lawful Bases for Processing:

To collect or use personal data legally, you cannot just "want" to do it. You must rely on one of six specific legal justifications (Article 6). If you cannot fit your processing into one of these boxes, you cannot collect the data.

You must identify and document one of these bases before you start processing data.

Consent: The individual has given you clear, specific permission to process their data for a specific purpose.
Contract: You need to process the data to fulfil a contract with the individual (e.g., you need their address to deliver goods they bought).
Legal Obligation: You are required by law to process the data (e.g., keeping salary records for tax purposes).
Vital Interests: It is a life-or-death situation (e.g., giving emergency medical data to a hospital to save someone's life).
Legitimate Interests: You have a genuine business reason (like fraud prevention or network security), and this reason is not overridden by the individual's rights or freedoms.
Public Interest: You are performing a task in the public interest or acting under official authority (usually applies to government bodies, not private companies).

1. Strict Rules for "Consent"

If you choose "Consent" as your legal basis, the bar is set very high. You must be able to prove you obtained it validly.

Freely Given: The user must have a real choice. You cannot force them to consent or punish them if they say no.
Informed: They must know exactly who you are and what you are doing with their data.
Specific: You cannot ask for "blanket consent." You must ask for permission for each specific purpose.
Clear Affirmative Action: The user must do something to consent (like ticking a box). You must also keep a record of this consent being given. Pre-ticked boxes are banned.
Easy Withdrawal: You must tell them they can withdraw consent at any time, and if they do, you must stop processing immediately.

2. Contractual Necessity

When to use it: Use this when you have a contract with an individual (or are about to enter one) and you literally cannot do your job without their data.

The Rule: The processing must be necessary for the performance of a contract to which the individual is a party.

Practical Example: If you sell a product online, you need the customer's address to deliver it. You don't need their consent for the address. You need it to fulfil the contract of sale.

Constraint: You cannot use this for things that are "nice to have" but not essential to the contract (e.g., using that same address for marketing newsletters usually requires a different basis, like Consent).

3. Legal Obligation

When to use it: Use this when you have no choice because the law says you must process the data.

The Rule: The processing is necessary for compliance with a legal obligation.

Practical Example: You are required by tax laws to keep records of employee salaries for a certain number of years. Even if an employee asks you to delete their data, you can refuse because you have a legal obligation to keep it.

Constraint: This must be a statutory obligation (EU or National law), not just a contractual obligation to a third party or your own company policy.

4. Vital Interests

When to use it: This is the "Emergency Only" basis. It applies to life-or-death situations.

The Rule: The processing is necessary to protect the vital interests of the data subject or another person.

Practical Example: If a visitor to your office collapses and is unconscious, you might disclose their medical allergies (if known) to the paramedics. You don't need to wake them up to get consent because their life (vital interest) is at risk.

Constraint: You generally cannot use this for large-scale data processing or health data unless it is truly a medical emergency.

5. Legitimate Interests

When to use it: This is the most flexible basis, often used for business activities like fraud prevention, network security, or direct marketing. However, it requires a careful "Balancing Test".

The Rule: Processing is necessary for your legitimate interests (or those of a third party), UNLESS those interests are overridden by the individual's fundamental rights and freedoms.

The "Balancing Test": You must weigh your benefit against the user's privacy:

Your side: "We need to process IP addresses to stop hackers attacking our website." (This is a strong legitimate interest).

Their side: "Does this hurt the user's privacy?" (Likely minimal impact).

Result: You can probably proceed.

Constraint: If the processing would be unexpected, cause harm, or if the individual is a child, their rights likely override your interests. You must document this assessment.

6. Public Interest / Official Authority

When to use it: This is primarily for public authorities (like schools, hospitals, police, or councils) performing their official duties.

The Rule: The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in you.

Practical Example: A local council collecting data to organise bin collection or a tax authority collecting income data.

Constraint: Private companies rarely use this unless they are contracted to carry out specific public tasks (e.g., a private utility company maintaining the water supply).

Download Detailed Guidance Here

The post Legal Basis for Processing appeared first on L2 Cyber Security Solutions.

Principles of the GDPR

Liam — Fri, 14 Apr 2023 14:37:37 +0000

The General Data Protection Regulation (GDPR) sets out the principles of the GDPR that organisations must follow when processing personal data.

Download Detailed Guidance Here

Principles of the GDPR

Here is a simplified guide to the 7 Core Principles of the GDPR (Article 5).

Think of these not just as codes, but as the "Golden Rules" for how you handle data. If you violate these principles, you are violating the GDPR, even if your security is technically perfect.

Lawfulness, Fairness, and Transparency

Your Obligation: You must be honest and open about what you are doing.

Lawful: You cannot process data just because you want to. You need a valid legal reason (like Consent or a Contract).

Fair: You shouldn't do things with data that people wouldn't expect or that could mislead them. You must give them control over their information.

Transparent: You can't hide in the shadows. You must provide clear, accessible information (usually a Privacy Notice) explaining exactly how you process their data.

Purpose Limitation

Your Obligation: Be specific about why you need the data and stick to that reason.

The Rule: You must collect data for "specified, explicit, and legitimate purposes".

No "Scope Creep": You cannot collect data for one reason (e.g., "to deliver a pizza") and then use it for a completely different reason later (e.g., "to sell their address to a gym"), unless you get fresh consent or have another clear legal reason.

Communication: You must tell the individual this purpose at the start.

Data Minimisation

Your Obligation: Collect only what you strictly need.

The Rule: Data must be adequate, relevant, and limited to what is necessary for your specific purpose.

Practical Step: If you don't need someone's date of birth to sell them a book, don't ask for it. Avoid hoarding "just in case" data.

Accuracy

Your Obligation: Keep the data correct and up to date.

The Rule: You must take reasonable steps to ensure data is not incorrect or misleading.

Correction: If you find out data is wrong, you must fix it or erase it without delay. You should also give individuals an easy way to update their own records.

Storage Limitation

Your Obligation: Don't keep data forever.

The Rule: You must not keep personal data for longer than you actually need it for your stated purpose.

Guidance: There may be a statutory requirement for a retention period (e.g. Revenue), or a supervisory body providing guidance. If neither exist, then set your own retention period and document the justification for it.

Retention Policy: You need a clear policy that says when you will delete data. When that time comes, you must securely erase or anonymise it.

Integrity and Confidentiality (Security)

Your Obligation: Keep the data safe.

The Rule: You must protect data against unauthorised access, accidental loss, destruction, or damage.

Measures: This isn't just about firewalls. It includes organisational measures like taking data backups, restricting access so only the staff who need to see the data can see it, amongst other things.

Accountability

Your Obligation: Prove it.

The Rule: It is not enough to just comply with these principles. You must be able to demonstrate that you comply.

Documentation: This requires you to have written policies, records of your processing activities, and internal procedures in place to show regulators that you take these rules seriously.

Download Detailed Guidance Here

The post Principles of the GDPR appeared first on L2 Cyber Security Solutions.

Rights of an Individual

Liam — Fri, 14 Apr 2023 13:46:30 +0000

The General Data Protection Regulation (GDPR) provides strong rights of an individual, whose personal data is being processed by organisations.

Download Detailed Guidance Here

The Rights of an Individual

The right to be informed

Article 13 and Article 14.

Your Obligation: You must be completely transparent about how you use personal data. You cannot collect data in secret; you must provide "fair processing information," typically through a Privacy Notice.

What to include: You must detail your identity and contact info (and that of your DPO), why you are processing the data and the legal basis for doing so, how long you will keep it, and who else will receive it. You must also list the users' rights, including their right to withdraw consent or lodge a complaint.

Format: The information must be concise, transparent, intelligible, easily accessible, and free of charge. It must be written in clear, plain language—especially if addressed to a child.

Timing:

Direct Collection: If you got the data straight from the individual, give them this info at the time you collect it.
Indirect Collection: If you got the data from elsewhere, you must inform the individual within a reasonable period (maximum one month), or at the point you first communicate with them or share the data with someone else.

The table below summarises the information you should supply to individuals where the personal data has been obtained either directly from the data subject or by another means.

Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officer.	The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.
Any recipient or categories of recipients of the personal data.	Purpose of the processing and the legal basis for the processing.
The right to lodge a complaint with a supervisory authority.	The existence of each of data subject’s rights.
Retention period or criteria used to determine the retention period.	Details of transfers to a different country and what safeguards apply.
The right to withdraw consent at any time, where relevant.	The legitimate interests of the controller or third party, where applicable.

If the personal data was obtained directly from the data subject, then you should provide them with the above information at the time you get the personal data.

The next table summarises the information you should supply to individuals where the personal data has not been obtained directly from the data subject.

The source the personal data originates from and whether it came from publicly accessible sources.

Categories of personal data.

The right of access (Subject Access Requests)

Article 15.

Your Obligation: You must allow individuals to verify that their data is being processed lawfully. If asked, you must confirm you are processing their data and provide a copy of it.

Deadlines: You must respond without delay, and at the latest within one month.

Extension: You can extend this by two months if the request is complex or numerous, but you must notify the individual within the first month and explain why.

Fees: You generally cannot charge a fee.

Exception: You may charge a "reasonable fee" based on administrative costs only if the request is "manifestly unfounded or excessive" (e.g., repetitive) or for additional copies.

Verification: You must verify the identity of the requester using reasonable means before handing over data.

Suggested ways:

- Ask the individual to confirm details only they would know based on the data you already hold. Ask 2-3 specific questions:
  - "Please confirm the amount of your last transaction with us."
  - "What is the reference number on your most recent bill?"
  - "Please confirm the phone number we have on file for you."
- Require the user to log in to their secure account area to submit the request.
- If you must ask for photo ID, ask them to redact unnecessary information – e.g. “Please send a photo of your driving licence, but please black out your licence number and date of birth. We only need to see your name and photo”

Format: If the request is made electronically, you should provide the data in a commonly used electronic format.

The right to rectification

Article 16.

Your Obligation: You must correct inaccurate or incomplete personal data upon request.

Third Parties: If you have shared this data with other organisations, you must inform them of the correction if possible.

Deadlines: You have one month to comply. This can be extended by two months for complex requests, provided you notify the individual.

Refusal: If you decide not to take action, you must explain why and inform the individual of their right to complain to a supervisory authority.

The right to erasure ("Right to be Forgotten")

Article 17.

Your Obligation: You must delete personal data when there is no compelling reason to keep it. BUT this is not an absolute right. You are quite likely to refuse this one, as its scope is quite narrow.

When to delete: You must act if:

consent is withdrawn
the data is no longer needed for its original purpose
it was processed unlawfully
if there is a legal obligation to delete it

Special attention is required for data collected from children online.

Public Data: If you have made the data public (e.g., on a website), you must take reasonable steps to inform other controllers processing that data to erase links to or copies of it.

Exceptions: You can refuse deletion if the processing is necessary for freedom of expression, public health, contractual, legal obligations, or the defence of legal claims.

The right to restrict processing

Article 18.

Your Obligation: In specific circumstances, you must stop using the data but keep it stored. You can retain just enough info to ensure the restriction is respected in the future.

When to restrict: You must apply this if an individual contests the accuracy of data (while you verify it), if they object to processing (while you verify your legitimate grounds), or if the processing is unlawful but the individual prefers restriction over deletion.

Notification: You must inform any third parties you shared the data with about the restriction. You must also tell the individual before you lift the restriction.

The right to data portability

Article 20.

Your Obligation: You must allow individuals to obtain and reuse their data across different services by providing it in a format that allows easy transfer.

Format: Provide the data in a structured, commonly used, and machine-readable form (e.g., CSV files) so software can extract the data.

Scope: This applies only to data the individual provided to you, processed by automated means, based on consent or a contract.

Direct Transfer: If the individual asks and it is technically feasible, you should transfer the data directly to another organisation.

The right to object

Article 21.

Your Obligation: You must respect an individual's right to say "no" to processing in certain cases.

Direct Marketing: If an individual objects to direct marketing, you must stop immediately. There are no exemptions or grounds to refuse.

Legitimate Interests/Public Task: If they object to processing based on these grounds, you must stop unless you can demonstrate "compelling legitimate grounds" that override their rights, or if it is for legal claims.

Communication: You must explicitly bring this right to their attention at the point of first communication and in your privacy notice, keeping it separate from other information.

Rights in relation to automated decision making and profiling

Article 22.

Your Obligation: You must provide safeguards against potentially damaging decisions made solely by computers without human intervention.

The Right: Individuals can refuse to be subject to automated decisions that have legal or significant effects on them.

Safeguards: If you use automated decision-making, you must allow the individual to obtain human intervention, express their point of view, and obtain an explanation of the decision so they can challenge it.

Profiling: If you use profiling (analysing personal aspects like performance, health, or location), you must be transparent about the logic involved and the significance of the consequences. You must use appropriate mathematical procedures and secure the data to prevent errors or discrimination.

Download Detailed Guidance Here

The post Rights of an Individual appeared first on L2 Cyber Security Solutions.

L2 Cyber Security Solutions GDPR Audits are powered by Serity

Liam — Wed, 01 Jan 2020 09:00:30 +0000

The post L2 Cyber Security Solutions GDPR Audits are powered by Serity appeared first on L2 Cyber Security Solutions.

Right To Be Informed

Liam — Wed, 31 Jul 2019 23:01:46 +0000

This page lists all of the various categories of personal data that L2 Cyber Security Solutions process and provides a downloadable PDF containing the required right to be informed information.

Customers (clients who have engaged L2 Cyber Security directly for training and consulting work):

Download here

Website users:

Download here

Trainees who attend an L2 Cyber Security provided course:

Download here

Trainees who attend a training course, provided by separate business entity, for which L2 Cyber is contracted to (e.g. a Skillnet, Local Enterprise Office, another training company, etc.):

Download here

Suppliers of goods and services to L2 Cyber Security:

Download here

Effective Data: 01/08/2019

Reviewed: Annually

The post Right To Be Informed appeared first on L2 Cyber Security Solutions.

Individual’s Rights

Liam — Fri, 14 Sep 2018 11:00:09 +0000

The General Data Protection Regulation (GDPR) created some new rights for individuals and strengthens some of the rights that previously existed under the Data Protection Act 1988/2003.

The PDF is available here: GDPR-01-Individuals rights

The post Individual’s Rights appeared first on L2 Cyber Security Solutions.

Data breach video series – CCTV Leakage

Liam — Fri, 20 Jul 2018 10:59:25 +0000

Data Breach CCTV Leakage.

This short video talks about how allowing CCTV footage to be leaked online is a serious data breach under the #GDPR.

For more information or to contact us please visit our website at https://www.L2CyberSecurity.com

The post Data breach video series – CCTV Leakage appeared first on L2 Cyber Security Solutions.

Data breach video series – Open Plan Office

Liam — Mon, 16 Jul 2018 16:02:06 +0000

Data Breach Open Plan Office.

This short video talks about how having a public space near to an open plan office may lead to a data breach under the #GDPR. A breach may arise where your staff are speaking to other staff or to people on the phone and they are speaking items of personal data out loud. If there is somebody waiting in a public space near the open plan office that could overhear their talk, then a data breach will have occurred.

For more information or to contact us please visit our website at https://www.L2CyberSecurity.com

The post Data breach video series – Open Plan Office appeared first on L2 Cyber Security Solutions.

Data breach video series – Sharing a Password

Liam — Fri, 13 Jul 2018 17:56:51 +0000

Data Breach Sharing a Password.

This short video talks about how simply sharing your password could be a data breach under the #GDPR. This is because, by giving somebody your password, you are giving them access to everything that you have access to. If you are authorised to access certain personal data, which they are not authorised to be able to access, then by giving them your password, you have caused a data breach as they can now access data that they should not be able to.

For more information or to contact us please visit our website at https://www.L2CyberSecurity.com

The post Data breach video series – Sharing a Password appeared first on L2 Cyber Security Solutions.

Data breach video series – Personal data on display

Liam — Mon, 09 Jul 2018 16:50:59 +0000

Date Breach Personal data on display.

This short video talks about how simply leaving somebody’s personal data on display in a public place is a data breach under the #GDPR.

For more information or to contact us please visit our website at https://www.L2CyberSecurity.com

The post Data breach video series – Personal data on display appeared first on L2 Cyber Security Solutions.