skip to Main Content

Welcome

La Meer Inc.

La Meer Inc. is a Silicon Valley organization that offers the GRACE suite of web-based solutions

  • Operational Risk
  • Compliance Management
  • Client Compliance
  • Client Management
  • IT Risk
  • Vendor Risk
  • Operational Due Diligence

La Meer solutions are built for Financial Markets by  professionals with 150+ years of experience building technology for Finance.

Get In Touch

Email: info@lameerinc.com
Phone: +1(408) 740 7205
Address: 111 W. Saint John Street, Suite 430 San Jose, CA 95113, USA
+1 (408) 740 7205 info@lameerinc.com

The Seven Key Principles of GDPR

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data Minimisation
  • Accuracy
  • Storage Limitation
  • Integrity and confidentiality
  • Accountability

Artice 5(1) and details on the Seven Principles

Article 5(1) requires that personal data shall be:  

(a) Processed lawfully, Fairly and in a Transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);

  • You must identify valid grounds under the GDPR (known as a ‘lawful basis’) for collecting and using personal data.
  • You must ensure that you do not do anything with the data in breach of any other laws.
  • You must use personal data in a way that is fair. This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.
  • You must be clear, open and honest with people from the start about how you will use their personal data.

(b) Collected for Specified,Explicit and Legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

  • You must be clear about what your purposes for processing are from the start.
  • You need to record your purposes as part of your documentation obligations and specify them in your privacy information for individuals.
  • You can only use the personal data for a new purpose if either this is compatible with your original purpose, you get consent, or you have a clear basis in law.

(c) Adequate, Relevant and Limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

You must ensure the personal data you are processing is:

  • adequate – sufficient to properly fulfil your stated purpose;
  • relevant – has a rational link to that purpose; and
  • limited to what is necessary – you do not hold more than you need for that purpose.

(d) Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

  • You should take all reasonable steps to ensure the personal data you hold is not incorrect or misleading as to any matter of fact.
  • You may need to keep the personal data updated, although this will depend on what you are using it for.
  • If you discover that personal data is incorrect or misleading, you must take reasonable steps to correct or erase it as soon as possible.
  • You must carefully consider any challenges to the accuracy of personal data.

(e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);

  • You must be clear about what your purposes for processing are from the start.
  • You need to record your purposes as part of your documentation obligations and specify them in your privacy information for individuals.
  • You can only use the personal data for a new purpose if either this is compatible with your original purpose, you get consent, or you have a clear basis in law.

(f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

  • You must ensure that you have appropriate security measures in place to protect the personal data you hold.
  • This is the ‘integrity and confidentiality’ principle of the GDPR – also known as the security principle.

Article 5(2)

Article 5(2) adds that:

“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

Definition of Personal Identifiable Information (PII)

  • Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
  • What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.
  • If it is possible to identify an individual directly from the information you are processing, then that information may be personal data.
  • If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.
  • Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual.
  • When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.
  • It is possible that the same information is personal data for one controller’s purposes but is not personal data for the purposes of another controller.
  • Information which has had identifiers removed or replaced in order to pseudonymise the data is still personal data for the purposes of GDPR.
  • Information which is truly anonymous is not covered by the GDPR.
  • If information that seems to relate to a particular individual is inaccurate (ie it is factually incorrect or is about a different individual), the information is still personal data, as it relates to that individual.

More sensitive information handling

Some of the personal data you process can be more sensitive in nature and therefore requires a higher level of protection. The GDPR refers to the processing of these data as ‘special categories of personal data’. This means personal data about an individual’s:

  • race;
  • ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data (where this is used for identification purposes);
  • health data;
  • sex life; or
  • sexual orientation.

Personal data can include information relating to criminal convictions and offences. This also requires a higher level of protection.

Unstructured paper records

The GDPR does not cover information which is not, or is not intended to be, part of a ‘filing system’. However, under the Data Protection Act 2018 (DPA 2018) unstructured manual information processed only by public authorities constitutes personal data. This includes paper records that are not held as part of a filing system. While such information is personal data under the DPA 2018, it is exempted from most of the principles and obligations in the GDPR and is aimed at ensuring that it is appropriately protected for requests under the Freedom of Information Act 2000.

Individual's Right to be Informed

  • Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
  • You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
  • You must provide privacy information to individuals at the time you collect their personal data from them.
  • If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
  • The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language
  • You must regularly review, and where necessary, update your privacy information.You must bring any new uses of an individual’s personal data to their attention before you start the processing.

Individual's Right of Access - Subject Access

  • Individuals have the right to access their personal data.
  • Individuals can make a subject access request verbally or in writing.
  • You have one month to respond to a request.
  • You cannot charge a fee to deal with a request in most circumstances.

Individual's Right for Rectification

  • The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
  • An individual can make a request for rectification verbally or in writing.
  • You have one calendar month to respond to a request.
  • In certain circumstances you can refuse a request for rectification.
  • This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).

Individual's Right to Erasure / Right to be Forgotten

  • The GDPR introduces a right for individuals to have personal data erased.
  • Individuals can make a request for erasure verbally or in writing.
  • You have one month to respond to a request.
  • The right is not absolute and only applies in certain circumstances.
  • This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data.

Individuals have the right to have their personal data erased if:

  • The personal data is no longer necessary for the purpose which you originally collected or processed it for
  • You are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
  • You are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing
  • You are processing the personal data for direct marketing purposes and the individual objects to that processing;
  • You have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
  • You have to do it to comply with a legal obligation  or
  • You have processed the personal data to offer information society services to a child.

Individual's Right to Restrict Processing

Article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.

Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information you hold or how you have processed their data. In most cases you will not be required to restrict an individual’s personal data indefinitely, but will need to have the restriction in place for a certain period of time.

  • Individuals have the right to request the restriction or suppression of their personal data.
  • This is not an absolute right and only applies in certain circumstances.
  • When processing is restricted, you are permitted to store the personal data, but not use it.
  • An individual can make a request for restriction verbally or in writing.
  • You have one calendar month to respond to a request.
  • This right has close links to the right to rectification (Article 16) and the right to object (Article 21).

When does the right to restrict processing apply?

Individuals have the right to request you restrict the processing of their personal data in the following circumstances:

  • The individual contests the accuracy of their personal data and you are verifying the accuracy of the data;
  • The data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;
  • You no longer need the personal data but the individual needs you to keep it in order to establish, exercise or defend a legal claim; or
  • The individual has objected to you processing their data under Article 21(1), and you are considering whether your legitimate grounds override those of the individual.

Individual's Right of Data Portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

  • It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
  • Doing this enables individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
  • The right only applies to information an individual has provided to a controller.
  • Some organisations in the UK already offer data portability through midata and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe.

Individual's Right to Object

  • The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
  • Individuals have an absolute right to stop their data being used for direct marketing.
  • In other cases where the right to object applies you may be able to continue processing if you can show that you have a compelling reason for doing so.
  • You must tell individuals about their right to object.
  • An individual can make an objection verbally or in writing.
  • You have one calendar month to respond to an objection.

Individual's Rights related to automated decision making including profiling

The GDPR has provisions on automated individual decision-making (making a decision solely by automated means without any human involvement); and profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

GDPR applies to all automated individual decision-making and profiling.Article 22 of the GDPR has additional rules to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them.

  • You can only carry out this type of decision-making where the decision is:
    • necessary for the entry into or performance of a contract; or
    • authorised by Union or Member state law applicable to the controller; or
    • based on the individual’s explicit consent.
  • You must identify whether any of your processing falls under Article 22 and, if so, make sure that you:
    • give individuals information about the processing;
    • introduce simple ways for them to request human intervention or challenge a decision;
    • carry out regular checks to make sure that your systems are working as intended.

Accountability and Governance

Accountability is one of the data protection principles – it makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance.

  • You need to put in place appropriate technical and organisational measures to meet the requirements of accountability.
  • There are a number of measures that you can, and in some cases must, take including:
    • adopting and implementing data protection policies;
    • taking a ‘data protection by design and default’ approach;
    • putting written contracts in place with organisations that process personal data on your behalf;
    • maintaining documentation of your processing activities;
    • implementing appropriate security measures;
    • recording and, where necessary, reporting personal data breaches;
    • carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests;
    • appointing a data protection officer; and
    • adhering to relevant codes of conduct and signing up to certification schemes.
  • Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place.

To achieve this you may choose to put in place a privacy management framework. This can help you create a culture of commitment to data protection, by embedding systematic and demonstrable compliance across your organisation. Amongst other things, your framework should include:

  • Robust program controls informed by the requirements of the GDPR
  • Appropriate reporting structures
  • Assessment and evaluation procedures
  • Ensure a good level of understanding and awareness of data protection amongst your staff
  • Implement comprehensive but proportionate policies and procedures for handling personal data;
  • Keep records of what you do and why
  • Adopt a ‘data protection by design and default’ approach

Article 24(1) of the GDPR says that:

  • You must implement technical and organisational measures to ensure, and demonstrate, compliance with the GDPR
  • The measures should be risk-based and proportionate
  • Need to review and update the measures as necessary

Controllers and Processors

  • Understanding your role in relation to the personal data you are processing is crucial in ensuring compliance with the GDPR and the fair treatment of individuals.
  • Your obligations under the GDPR will vary depending on whether you are a controller, joint controller or processor.
  • The Regulators have the power to take action against controllers and processors under the GDPR.
  • Individuals can bring claims for compensation and damages against both controllers and processors.
  • You should take the time to assess, and document, the status of each organisation you work with in respect of all the personal data and processing activities you carry out.
  • Whether you are a controller or processor depends on a number of issues. The key question is – who determines the purposes for which the data are processed and the means of processing?
  • Organisations that determine the purposes and means of processing will be controllers regardless of how they are described in any contract about processing services.

You a Controller if

  • You decide to collect or process the personal data.
  • You decide what the purpose or outcome of the processing was to be.
  • You decide what personal data should be collected.
  • You decide which individuals to collect personal data about.
  • You obtain a commercial gain or other benefit from the processing, except for any payment for services from another controller.
  • You are processing the personal data as a result of a contract between you and the data subject.
  • The data subjects are your employees.
  • Yoe make decisions about the individuals concerned as part of or as a result of the processing.
  • You exercise professional judgement in the processing of the personal data.
  • You have a direct relationship with the data subjects.
  • We have complete autonomy as to how the personal data is processed.
  • You have appointed the processors to process the personal data on our behalf.

You are a joint controller if

  • You have a common objective with others regarding the processing.
  • You are processing the personal data for the same purpose as another controller.
  • You are using the same set of personal data (eg one database) for this processing as another controller.
  • You have designed this process with another controller.
  • You have common information management rules with another controller.

You are a processor if

  • You are following instructions from someone else regarding the processing of personal data.
  • You were given the personal data by a customer or similar third party, or told what data to collect.
  • You do not decide to collect personal data from individuals.
  • You do not decide what personal data should be collected from individuals.
  • You do not decide the lawful basis for the use of that data.
  • You do not decide what purpose or purposes the data will be used for.
  • You do not decide whether to disclose the data, or to whom.
  • You do not decide how long to retain the data.
  • You may make some decisions on how data is processed, but implement these decisions under a contract with someone else.
  • You are not interested in the end result of the processing.

Consent Management

  • Check your consent practices and your existing consents. Refresh your consents if they don’t meet the GDPR standard.
  • Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
  • Explicit consent requires a very clear and specific statement of consent.
  • Keep your consent requests separate from other terms and conditions.
  • Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
  • Be clear and concise.
  • Name any third party controllers who will rely on the consent.
  • Make it easy for people to withdraw consent and tell them how.
  • Keep evidence of consent – who, when, how, and what you told people.
  • Keep consent under review, and refresh it if anything changes.
  • Avoid making consent to processing a precondition of a service

Requesting Consent

  • Ensure that you have checked that consent is the most appropriate lawful basis for processing.
  • Ensure that the request for consent prominent and separate from our terms and conditions.
  • Ask people to positively opt in.
  • Don’t use pre-ticked boxes or any other type of default consent.
  • Use clear, plain language that is easy to understand.
  • Specify why we want the data and what we’re going to do with it.
  • Give separate distinct (‘granular’) options to consent separately to different purposes and types of processing.
  • Name our organisation and any third party controllers who will be relying on the consent.
  • You tell individuals they can withdraw their consent.
  • Ensure that individuals can refuse to consent without detriment.
  • Do not make consent a precondition of a service.
  • If you offer online services directly to children, we only seek consent after having age-verification measures (and parental-consent measures for younger children) in place.

Recording consent

  • Ensure keep a record of when and how we got consent from the individual.
  • Keep a record of exactly what they were told at the time.

Managing consent

  • Regularly review consents to check that the relationship, the processing and the purposes have not changed.
  • Have processes in place to refresh consent at appropriate intervals, including any parental consents.
  • Keep a Privacy dashboards to monitor status
  • Make it easy for individuals to withdraw their consent at any time, and describe how to do so.
  • Act on withdrawals of consent as soon as we can
  • Ensure there are no penalties for individuals who wish to withdraw consent.
Back To Top