MCS InTegrated Solution recently held a series of workshops called
“An Introduction to GDPR”. The sessions were very well attended and provoked some good discussions about key aspects of the regulations.
This blog will focus on, and hopefully provide you with a better understanding of three key topics that persisted throughout the workshop discussions, namely:
Consent is one of six grounds under which personal data may be lawfully processed under GDPR:
“Processing shall be lawful if ……. (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes…“
In practice, some key considerations here are:
Data subjects have the right to withdraw their consent at any time and they should be informed of this right and how to exercise it at the time of giving consent.
Explicit consent is required to process sensitive personal data. This is the same as ‘normal GDPR consent, except it must be obtained in a way that leaves no room for misinterpretation. In other words, it must be provided in a clear written or spoken statement.
IS IT ACCEPTABLE TO CONTINUE USING DATA COLLECTED PRIOR TO GDPR?
One important discussion held at the workshops was that of historical consent, i.e., is it acceptable to process data that was collected months or years previously?
The good news is it might be! All processes and records will need to be checked in detail to see if existing consents meet the GDPR standard.
You can continue to rely on any existing documented consent if the consent was gathered in a manner which is compliant with the GDPR standard. However, you will also need to put in place mechanisms for data subjects to withdraw their consent easily.
If your research shows that previously acquired consent does not meet the GDPR standard (perhaps consent was assumed by a pre-filled tick box) then that consent is not valid. You will need to either seek the GDPR-compliant consent of the relevant data subjects or find another lawful basis for processing their data. An administrative burden no doubt, but one which you will need to bear if you still wish to lawfully process the data of these subjects.
As per Julian Box, Calligo CEO: “Of course, security is a huge concern, but it is only one part of the GDPR jigsaw..There is little point putting a ring of steel around data you shouldn’t have.”
This clarity gives individuals greater choice and control over how their personal data is used and therefore builds trust between organisations and their customers, adding to consumer confidence that, as per the first principle of GDPR:
“Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”
Under GDPR a Privacy Notice must have:
HOW TO DISPLAY PRIVACY NOTICES
And finally, for this blog, the principle of minimisation:
“Personal data must be adequate, relevant and limited to that which is necessary..”
Key here is:
There is a tendency, particularly in the pre-GDPR world, for businesses to collect ‘nice to have’ data but that will no longer be acceptable post May 2018.
The following is an example is taken from the web for a subscription to an online ezine:
What do you think is the minimum data required by the ezine publisher?
An email address.
Nothing else. One could possibly argue that the first name is a requirement if the ezine is to be personalised but that is subjective and not obligatory.
Getting back to our GDPR workshops, the attendees came from a wide range of industries. It became clear that there was an equally wide range of awareness of how the GDPR will affect their way of doing business.
Studious participants at one of GDPR workshops.
What we, as facilitators learned, is that individuals will gain a real and useful insight into the meaning of the GDPR if the information is presented in concise uncomplicated measures. Therefore, we will continue to provide more GDPR-related blogs as we progress towards the GDPR implementation date in May next year. Our next blog will focus on the topics of:
We would also be delighted to hear from you if you would like MCS Integrated Solutions to assist you on your GDPR journey. You may contact us here.