Week 1 of 8 – GDPR Legality, Consent and Territorial Scope
In this first week of our 8 week GDPR series, we will explore what needs to be looked at and addressed, to comply with the area of Legality and Consent.
Legality and Consent is fundamental to GDPR, so a breach of the articles focussing on them could lead to the maximum €20m fine.
Does GDPR apply?
First of all, does GDPR apply to your organisation?
Does your company hold any information belonging to EU residents* (which could be residents or people living in those states such as visa holders, asylum seekers etc.) that could be used to identify them?
- Think of the HR systems, customer records, sale & marketing data etc. Also remember to think of the different teams and departments around your organisation who may be busily collecting personal information.
- If the answer is ‘yes’, you will need to keep reading and comply with GDPR, if it is definitely ‘no’, for you and anyone in your supply chain, then you don’t need to worry about GDPR, although you will need to monitor the situation and make sure it doesn’t change.
*EU States: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK.
GDPR applies: what to do?
OK – so GDPR applies to your organisation, what now?
The first thing you must do, is make sure that you have the consent of the Data Subject (the person to whom the data refers).
- In GDPR speak, the consent must be explicit – a pre-populated tick box unfortunately won’t wash anymore and the consent must be specific for the purpose of processing.
- For example: if you have consent to use the data to send them account statements, you can’t start using the data to see if they are interested in switching Internet Service Providers – not without asking first.
- So have a look at what consent is in place and make sure it is recorded and can be quickly shown as evidence if required.
There are further twists regarding consent that you need to be aware of with GDPR.
- One is the right of the Data Subject to withdraw consent at any time. This will give organisations a bit of a headache as there will need to be processes and the technical ability to remove specific data if required.
- You’ll also need the subject’s consent if you plan to share the PII– no more sharing customer data I’m afraid. However, there are also some allowances where consent is not required – if, for example, you need to share the PII to complete a contract, then you don’t need specific consent. To illustrate that, if you sell the customer a book, you can share their data without consent with the courier as they need to deliver the book to fulfil the contract.
Remember the third parties
While we have been talking about ‘you’ or ‘your organisation’ in this article so far, any third parties that may be involved also need to be considered.
- Do you have someone who you use to issue invoices? Any back-office processing taking place with other companies?
- If so, they need to adhere to the same requirements. In the event of a data breach, the ‘controller’ (probably your organisation) is responsible for the data, regardless of where the breach took place.
In addition to ensuring consent is received and recorded, GDPR also lays down that you should only hold the absolute minimum amount of personal data required to carry out the processing. If you are holding physical addresses, phones numbers and email addresses, but only one of those channels is used, then the superfluous data should be removed for existing records and not collected for new data subjects in the future. This will clearly lead to process changes in data collection.
Summary of Legality & Consent
Consent & Legality Pointers
So, if you have got this far and still aren’t sure what Consent and Legality in GDPR means to you, here’s a few simple pointers to help get you started:
- Check if the data being held and used by your organisation can be used to identify EU residents – if it does, you need to comply with GDPR by the 25th of May 2018. This is applicable even if you are not based in the EU.
- When looking at the data held in your organisation, think about different teams and departments and any third parties you may use. If you are holding and using data that can be used to identify a person, then GDPR need to be complied with
- Look at the consent you have from the ‘Data Subjects’. It needs to be clear that they have agreed for you to use their personal data for all the purposes that it is being used. If not, the consent needs to be obtained again.
- Make sure the data being held is kept to the minimum needed to do the processing. In future, make sure that only the minimum required data is gathered and retained.
- If a subject withdraws consent to have their data held, you must respond to this and stop processing all instances of that individual’s information.
Next week – 2 of 8 :
Next week we will focus on Data Mapping: an important exercise to carry out regularly to stay on top of your data.
Any questions about this article or any other GDPR topic, please contact:
Graeme Riley is an experienced Global CIO with extensive experience in IT Security and Data Protection. He is currently a Director at Intersys Compliance Ltd.