United Kingdom
5.2.2. The privacy notice should cover processing purposes, lawful bases, categories of data, recipients, international transfers, retention, rights, and contact details/DPO information where applicable. Where consent is relied upon, notices should explain the consequences of refusal/withdrawal and avoid bundled or conditional consents. 5.3. Data storage and retention timelines The storage limitation principle requires organisations to retain personal data only as long as is necessary for stated purposes, reflected in documented retention schedules aligned to legal, regulatory, tax and sectoral obligations. End ‑ of ‑ life data must be securely deleted or anonymised. Where retention is mandated (e.g., financial or health records), organisations should ensure strict access controls and periodic review. 5.4. Automated decision making Solely automated decision ‑ making producing legal or similarly significant effects is restricted; exceptions apply where authorised by law, necessary for a contract, or based on explicit consent, with appropriate safeguards including meaningful human review. 5.5. Data protection and security practices and procedures (Chapter IV, Section 2, UK GDPR)
5.5.1. Security measures must be appropriate to risk, considering the likelihood and severity of harm, the nature and sensitivity of data, and processing context. Technical measures typically include encryption, access controls, network security, secure development practices, vulnerability management, and resilience planning. Organisational measures include governance policies, training, supplier due diligence, incident response planning, and periodic assurance. DPIAs are required for high ‑ risk processing (e.g., large ‑ scale sensitive data, systematic monitoring, profiling with significant effects). 5.52. In the event of a personal data breach where there is a risk to individuals’ rights and freedoms, controllers must notify the ICO without undue delay and in any event within 72 hours of becoming aware of the breach. In addition, controllers must notify affected individuals without undue delay if the risk to the rights and freedoms of those individuals is high. Breach notifications to the ICO should, where possible, set out the nature of the breach (including categories and approximate number of data subjects and records), likely consequences, measures taken or proposed to address the breach, and a contact point for further information. All breaches—whether notifiable or not—must be logged by the data controller.
https://www.fladgate.com/
Made with FlippingBook - PDF hosting