What is this GDPR?
Consumers are being given never before seen digital rights. They must also consent to the use of their data and request access to the data held on them. The fines for non-compliance are considerable (up to 4% of turnover or €20 million). These steps will set you on the right track towards ensuring compliance.
Look at what information you collect, store or process, The GDPR requires you to keep a record of what information you process.
You need to provide certain information when you collect data. For example, you need to let people know how you’re going to use their information. Under the GDPR in your privacy notice you need to explain your lawful basis for processing the data and your data retention periods.
Rights under the GDPR are broadly similar to the preceding data protection legislation, so if you were well covered before, this shouldn’t be too burdensome. However, there are some enhancements. The GDPR gives the right to:
- Be Informed;
- Given access;
- Restrict processing;
- Data portability;
- Object; and
- Not be subject to automated decision making profiling.
The right to data portability applies to personal data provided to a controller where the processing is based on the individual’s consent or for the performance of a contract, and when the processing is carried out by automated means.
You need to put a new process in place. This is of particular operational importance if you are dealing with a high volume of these requests. Under the new rules you can’t charge for a request and only have a month to comply. However, you can refuse requests that are unfounded or excessive although you need to tell the individual why.
Lawful Basis for Processing Data
You need to identify and then document your lawful basis for processing personal data. The GDPR is broadly similar to the Data Protection Act. Under the GDPR the lawful basis must be explained in the privacy notice and when answering an access request. Companies should review the data they process and the lawful basis for doing so.
Consent must be freely given, specific, informed and unambiguous. There must be a positive opt in for consent and it cannot be inferred from silence. There need to be simple ways for people to withdraw their consent.
The GDPR is bringing in special protection for children’s personal data. This is particularly important to companies offering social networking. The GDPR gives the age at which a child can give consent as 16 and if they are younger consent will need to be given by someone holding ‘parental responsibility’. Consent needs to be verifiable and written in a language children will understand.
If there has been a data breach companies will need to inform the ICO and in some cases there is a need to inform the individual. The type of breach needed to qualify for notification is one which could result in discrimination, reputational damage, financial loss, loss of confidentiality or significant social or economic loss. A policy should be put in place to identify protocol in the case of a breach.
Data Protection Design and Data Protection Impact Assessments
Data protection by design is mandatory and Data Protection Impact Assessments (DPIA) are mandatory in certain situations. A DPIA is mandatory if there is a high risk to individuals (new technology or a profiling operation for example). You should consider where it will be necessary to conduct a DPIA.
Data Protection Officers
A Data Protection Officer should be assigned. This is a legal requirement if you are a public authority, an organisation that regularly monitors individuals, or an organisation that processes large amounts of data (health records or criminal convictions).
If an organisation operates in multiple EU states then one lead data protection supervisory authority should be designated. This should be where an organisations main establishment is based.