Controllers checklist

Once you have completed your information audit, you should document your findings, for example in an information asset register.

Doing this will also help you to comply with the UK GDPR’s accountability principle. This requires your business to be able to show how you comply with the UK GDPR principles, for example by having effective procedures and guidance for staff.

You must record:

* the name and details of your business, each controller you are acting on behalf of, and the controllers’ representative (if relevant), your representative and the data protection officer); * categories of the processing carried out on behalf of each controller; * details of transfers to third countries including documentation of the transfer mechanism safeguards in place, if applicable; and * where possible, a general description of technical and organisational security measures.

If you have fewer than 250 employees you only need to keep these records for processing activities that:

* are not occasional; * could result in a risk to the rights and freedoms of individuals; or * involve the processing of special categories of data or criminal conviction and offence data.

You may be required to make these records available to the ICO on request.

You need to identify your lawful basis before you can process personal data.

There are six available lawful bases for processing. No single basis is better or more important than the others. The basis that is most appropriate will depend on your purpose for processing and relationship with the individual.

In summary, the six lawful bases are: (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). (d) Vital interests: the processing is necessary to protect someone’s life. (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

If you are processing special category data or criminal offence data you need to identify both a lawful basis for general processing and an additional condition (Article 9 condition) for processing this type of data. You need to give individuals information about how you intend to process their personal data and what your lawful basis is for doing so.

The UK GDPR sets a high standard for consent but remember you often won’t need consent. You should also assess whether another lawful basis is more appropriate.

Consent means offering people genuine choice and control over how you use their data. You can build trust and enhance your reputation by using consent properly.

The UK GDPR builds on the 1998 Act standard of consent in several areas and contains much more detail:

* You should keep your consent requests prominent and separate from other terms and conditions. * Seek a positive opt-in such as unticked opt-in boxes or similar active opt-in methods. * Avoid making consent a precondition of service. * Be specific and granular. Allow individuals to consent separately to different purposes and types of processing wherever appropriate. * Name your business and any specific third party organisations who will rely on this consent. * Keep records of what an individual has consented to, including what you told them, and when and how they consented. * Tell individuals they can withdraw consent at any time and how to do this.