What is the GDPR?

In 2018 GDPR (General Data Protection Regulation) was a big deal. They were a new set of rules laid out by the European Parliament that enshrined the responsibilities of parties that collect, store and/ or process personal data in law.

In a policy sense, the GDPR aimed to place the burden of these responsibilities unequivocally with those data processors/ data controllers, rather than allowing companies to defer that responsibility to the individual referred to in the data.

To this end the GDPR provided a mandate to EU member states’ data protection/ regulation organisations to levy very significant fines for the misuse/ or poor handling of an individuals personal data.

In short; if an organisation leaks data, emails a person that hasn’t asked to be emailed, or shares an individuals data without permission, then rather than saying ‘well if they didn’t want us to do that they shouldn’t have given us their data’, that organisation could be fined the greater of €10m or 2% of global annual turnover.

The Digital Marketplace as a Data Processor

In the terms of the GDPR it was decided that we best fit the category of a data processor. Because we process and store data on behalf of CCS (the data controller).

We then used the GDPR legislation to determine what our responsibilities were and wrote a GDPR Policy Document detailing how we meet them. One of our core responsibilities as a data processor was to know what data we stored and how we processed it. For this we produced a Data Inventory document.

Sharing Data with CCS

After seeking legal advice it was found that Digital Marketplace and CCS can share data across departmental boundaries because they are all part of the same organisation (the Cabinet Office). Furthermore we are working to achieve the same goals.

However we took the view that it would be prudent to ensure that:

  • We created an data sharing agreement document between the Digital Marketplace team and CCS

  • We explicitly noted this in both our GDPR documentation and Privacy Notice

  • We share only what is strictly necessary

Data Minimisation

A core tenet of the GDPR is the prinicpal of data minimisation. This principal states that organisations:

must limit personal data collection, storage, and usage to data that is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed.

As long as we continue to only collect data based on user needs then this should be adhered to. But it is something for the entire team to be mindful of.