HOW MCS INTEGRATES WITH SSE AIRTRICITY DUBLIN MARATHON 2017
October 28, 2017
GDPR – HOW IT AFFECTS PROCESSING OF PERSONAL DATA IN THE EMPLOYMENT CONTEXT
March 21, 2018
MCS InTegrated Solution recently held a series of workshops called
“An Introduction to GDPR”. The sessions were very well attended and provoked some good discussions about key aspects of the regulations.
This blog will focus on, and hopefully provide you with a better understanding of three key topics that persisted throughout the workshop discussions, namely:
- Consent
- Privacy notices
- Data minimisation
CONSENT
Consent is one of six grounds under which personal data may be lawfully processed under GDPR:
“Processing shall be lawful if ……. (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes…“
In practice, some key considerations here are:
- How does your organisation seek, obtain and record consent?
- Have you records to show that consent is freely given and unambiguous?
- Is there a clear mechanism to positively opt-in, for example, the data subject ticks a box or selects settings?
- Is the data subject fully informed of your identity, who you will share their personal data with and the purpose for which it is being collected?
- If you carry out additional processing, is it compatible with the original purpose? In other words, would the data subject object or complain if they know you were carrying out this additional processing?
- If dealing with children under 16, have you consent from the guardian?
Data subjects have the right to withdraw their consent at any time and they should be informed of this right and how to exercise it at the time of giving consent.
Explicit consent is required to process sensitive personal data. This is the same as ‘normal GDPR consent, except it must be obtained in a way that leaves no room for misinterpretation. In other words, it must be provided in a clear written or spoken statement.
IS IT ACCEPTABLE TO CONTINUE USING DATA COLLECTED PRIOR TO GDPR?
One important discussion held at the workshops was that of historical consent, i.e., is it acceptable to process data that was collected months or years previously?
The good news is it might be! All processes and records will need to be checked in detail to see if existing consents meet the GDPR standard.
You can continue to rely on any existing documented consent if the consent was gathered in a manner which is compliant with the GDPR standard. However, you will also need to put in place mechanisms for data subjects to withdraw their consent easily.
If your research shows that previously acquired consent does not meet the GDPR standard (perhaps consent was assumed by a pre-filled tick box) then that consent is not valid. You will need to either seek the GDPR-compliant consent of the relevant data subjects or find another lawful basis for processing their data. An administrative burden no doubt, but one which you will need to bear if you still wish to lawfully process the data of these subjects.
As per Julian Box, Calligo CEO: “Of course, security is a huge concern, but it is only one part of the GDPR jigsaw..There is little point putting a ring of steel around data you shouldn’t have.”
PRIVACY
A Privacy Notice, also called a Privacy Statement is information provided to individuals at the point of collection about how a data controller will use their personal data. A website Privacy Statement is not to be confused with a Privacy Policy.
A Privacy Policy is a document that describes how an organisation applies data protection principles to the way it processes data throughout the organisation. The policy applies to all personal data processed, including customer data, third party data and employee data. It is fundamentally a document for internal reference.
On the other hand, as per the Data Protection Commissioner, “a Privacy Statement is a public declaration of how the organisation applies data protection principles to data processed on its website”. It is a more narrowly focused document (than a privacy policy) and by its public nature should be both concise and clear.
This clarity gives individuals greater choice and control over how their personal data is used and therefore builds trust between organisations and their customers, adding to consumer confidence that, as per the first principle of GDPR:
“Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”
Under GDPR a Privacy Notice must have:
- Transparency – what is your lawful basis for collecting the data, what will you do with it and who will you share it with
- Clarity – it is written in concise, plain language and is easy to understand. If your privacy notice is addressed to data subjects under the age of 16, make sure the language is age appropriate so they will understand it.
- Retention details – how long do you intend to keep the subject’s data for?
- Contact details – provide information about your identity and the contact details of your DPO (Data Protection Officer) if you have one.
- Rights of the data subjects – information on the right to access, rectify, erase or restrict processing of their data. Make sure subjects are informed of their right to withdraw consent at any time.
- Regarding CCTV capturing personal data, the data controller must make the identity of the data controller and the purpose of data processing clear on its privacy notice.
- As per the DPC “notification of CCTV usage can usually be achieved by placing easily- read and well-lit signs in prominent positions. A sign at all entrances will normally suffice”
HOW TO DISPLAY PRIVACY NOTICES
There is discretion for data controllers to consider where the information required by GDPR should be displayed. Different layers of a notice are acceptable. The example below of an on-line privacy notice illustrates how you can make visible the essential details for consent while providing a link to the more in-depth privacy policy:
DATA MINIMISATION
And finally, for this blog, the principle of minimisation:
“Personal data must be adequate, relevant and limited to that which is necessary..”
Key here is:
- collect sufficient personal data to carry out your stated lawful processing, but do not hold any personal data that is not needed for this purpose.
There is a tendency, particularly in the pre-GDPR world, for businesses to collect ‘nice to have’ data but that will no longer be acceptable post May 2018.
The following is an example is taken from the web for a subscription to an online ezine:
What do you think is the minimum data required by the ezine publisher?
The answer?
An email address.
Nothing else. One could possibly argue that the first name is a requirement if the ezine is to be personalised but that is subjective and not obligatory.
Getting back to our GDPR workshops, the attendees came from a wide range of industries. It became clear that there was an equally wide range of awareness of how the GDPR will affect their way of doing business.
Studious participants at one of GDPR workshops.
What we, as facilitators learned, is that individuals will gain a real and useful insight into the meaning of the GDPR if the information is presented in concise uncomplicated measures. Therefore, we will continue to provide more GDPR-related blogs as we progress towards the GDPR implementation date in May next year. Our next blog will focus on the topics of:
- purpose limitation (boundaries within which personal data may be processed)
- processing CCTV data
- processing employee data
We would also be delighted to hear from you if you would like MCS Integrated Solutions to assist you on your GDPR journey. You may contact us here.