5 Simple Rules on the use of personal data in your daily work, to achieve compliance with GDPR

5 Simple Rules on the use of personal data in your daily work, to achieve compliance with GDPR

Use GDPR privacy awareness training and policy documents to help you to build awareness on these 5 simple rules for working with personal data across your organisation!


All processing/use of personal data in your work must have a specific purpose. 
There must be a specific purpose for data you collect on customers, prospects, applicants for jobs, employees, etc.   If it is not, then officially it has no purpose and you should report this fact to your data protection responsible. They will either make it an approved processing activity if a purpose necessity is assigned, or request that it is deleted. 

2. Restrict COLLECTION

When you collect personal data in your work, you should ask yourself first, is it absolutely necessary? 
If you create a web-form for customers to purchase goods online, you should only request personal data which is necessary to fulfil the purpose. For example, when delivering a book, only the name and delivery address of the customer are needed, nothing more. 

3. Restrict USE 

This is about how personal data collected is used within the organisation. 
When you as an employee use personal data, you are processing it on behalf of your employer, the controller. The restrict use rule requires that you stop and think before: 
  1. downloading personal data from any internal system onto any of your work or private devices, 
  2. appending personal data to an email, e.g. attachments, 
  3. forwarding emails which contain personal data.
For example if personal data of a customer has been collected for the purpose to fulfil an order/contract, then this data should not be used for anything else, unless the data protection responsible say it's okay. For example, personal data needs to be used in order to fulfil a legal obligation, e.g. the business needs to pay taxes on sales.

4. Restrict SHARE

Only share personal data outside of the organisation if this is communicated within the privacy notice which is communicated to the data subject, e.g. customers, employees, etc. 
 You should only share personal data outside of your organisation as stated in the organisation’s privacy  notice.  The European Union (EU) has the strongest data protection laws globally, which means in practice that personal data must not be shared/transferred outside of the EEA* without legal advice. 

If you have shared personal data by accident, you should report immediately to the data protection responsible in your organisation, in larger organisations the role is called Data Protection Officer (DPO.)  

5 . Secure DESTRUCT

Once personal data has fulfilled its purpose it  should be safely destructed. 
  1. Shred all paper copies;
  2. Delete files periodically from your ‘downloads’ folder;
  3. Empty your recycle bin regularly, both on your  computer and in your e-mail;
  4. Do not throw out digital devices that have  personal data stored on them even if you have deleted that data. Get an expert to do it.*

    • Related Articles

    • What is a personal data breach?

      Making GDPR compliance easy with Privasee · Personal Data Breach Definition A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data ...
    • What is pseudonymised data?

      Pseudonymised data is reversible. Normally what entails is that a name could be replaced with a unique ID, and maybe there's a table somewhere to enable the processor to be able to reverse back again. Now pseudonymised data is still personal data ...
    • What is anonymised data?

      Making GDPR compliance easy with Privasee · Anonymisation Now we are going to now just take a quick dip into what anonymisation is, because when personal is anonymised, it stops being personal data, and this should not be mixed up with ...
    • How can we protect the customer from sharing more personal data than absolutely necessary?

      When requesting personal data on a web-page, a practical way to limit collection is to use drop-down choices and click-boxes rather than to request free-text answers. This protects the customer from sharing too much personal data. Any form of ...
    • GDPR and the Data Subject

      Making GDPR compliance easy with Privasee · GDPR and the Data Subject The GDPR is individual centric. It places the data subject right in the middle. And it gives the data subject enforceable rights. In effect, one can say, that reading between the ...