Integrity & Security
For you as a customer at Briox it is important to know about the new Data Protection Act and GDPR (General Data Protection Regulation). The GDPR forms part of the data protection regime in the UK, together with the new Data Protection Act 2018 (DPA 2018). The main provisions of this apply, like the GDPR, from 25 May 2018.The new Act aim to modernise data protection laws to ensure they are effective in the years to come.
Information Commissioner’s Office - ICO, is the independent authority set up to uphold information rights in the public interest. On their website you will find more information about GDPR and what you need to know and do.
Processing of personal data
The GDPR applies to the processing of personal data. Personal data is every relating to natural persons who can be identified, or who are identifiable, directly from the information in question, or who can be indirectly identified from that information in combination with other information
Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in a more limited circumstances.
If personal data can be truly anonymised then the anonymised data is not subject to the GDPR. It is important to understand what personal data is in order to understand if the data has been anonymised.
Note that you as a customer of Briox are controller of all processing of personal data in the program. That is why it is important that you adhere to below principles.
Principle of GDPR
The GDPR sets out seven key principle:
- Lawfulness, fairness and transparenc
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
These principles should lie at the heart of your approach to processing personal data.
Controllers and Processors
GDPR applies to controllers and processors. A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller. Depending on what role you have, there are different responsibilities;
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach;
- However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
Briox as controller
Briox som Processor
Briox is processor and is responsible for taking appropriate technical and organisational measures in the processing of personal data, so that you can feel safe and secure with the personal data you collect, and that it is processed in a safe and secure way according to the law. Briox technical and organisational measures is described under Security.
Processing of personal data in Briox program
You as a customer and user of Briox is controller of the personal data your collect and processes in Briox program. More about where you collect and find personal data in Briox is described in our help texts. Briox is, as described above, processor and takes appropriate technical and organisational measures so that you can feel safe and secure with the personal data you collect, and that it is processed in a safe and secure way according to the law.
Lawfulness, fairness and transparency
The lawfulness, fairness and transparency principle is broadly similar to the first principle of the 1998 Act. Fairness is still fundamental. You still need to process personal data fairly and lawfully, but the requirement to be transparent about what you do with people’s data is now more clearly signposted.
Lawful basis for processing personal data in Briox
For processing of personal data to be lawful, you need to identify specific grounds for the processing. This is called a ‘lawful basis’ for processing, and there are six options which depend on your purpose and your relationship with the individual. You will have to identify It can vary from case to case and depends of the type of business you are conducting, which laws you need to follow, and if you are collecting data that is necessary or nice to have.