Principles of data protection
Key changes to data protection and the seven principles surrounding the use of personal data
The UK Data Protection Action Act 2018 makes sure your information is kept safe, online and offline
The UK Data Protection Action Act 2018 (also known as GDPR) came into effect on 25 May 2018. The key changes compared to previous data protection regulation are:
- Transparency: the Act requires all organisations, including Girlguiding, to tell you why they're asking for your personal data, why they need it, what they want to use it for, if they are going to share it and how long it will be kept for.
- Consent: if you’re using someone’s permission to use their personal data, the new law gives them greater protection and the right to withdraw this permission at any time.
- Security: the consequences of not keeping data safe is more severe, we must make sure we all follow the guidance provided to keep data safe against any potential theft or loss.
- Accountability: Girlguiding is required to keep records and evidence to prove we’re complying with the law.
- Data breach: if personal information is lost or shared improperly, this is a data breach. All incidents like this must be reported to Girlguiding HQ. If a data breach risks harm to an individual either financially or reputational, we'll need to report these to the regulator.
- Individual rights: existing individual rights have been added to and updated. For example, people now have the right to have their data deleted, and the right to have copies of your data (SAR) has been made more accessible.
- If we get it wrong: The ultimate fine is €20 million or 4% of our annual turnover.
The seven data principles
As part of the UK Data Protection Act 2018 (also known as GDPR), there are seven key principles surrounding the use of personal data. It must be:
- Processed lawfully, fairly and in a transparent manner: so we’ll tell people what personal information we want to use, why and how long we’ll keep it.
- Collected for specified, explicit and legitimate purposes and will not be used for a different purpose other than which we have told you. This means we can't collect your personal information for one reason, and then use it for something else.
- Adequate, relevant and limited to what is necessary for the purpose for which it was collected for. We must only collect the minimum amount of personal information necessary for the reason we want it for.
- Accurate and, where necessary, kept up to date: any personal data we collect must be checked regularly to make sure it’s not wrong or out of date.
- Not kept for longer than is necessary: so we’ll delete it as soon as we no longer need the personal information.
- Processed in accordance with the rights of the data subject: We'll all have legal rights that we can use to limit, restrict or prevent organisations using our personal data. This means if someone acts on one of these rights, we must have procedures in place to respond.
- Compliant with the data security principles set out in the updated GDPR legislation: the law states we must keep your information secure whilst it’s under our control.