GDPR, General Data Protection Regulation (GDPR) will take effect from 25 May 2018 and impacts every organisation that uses personal data from EU citizens.
- Unbundled: Asking for consent should be separate from other terms and conditions, so individuals are clear what they consenting to. Consent should not be a pre-condition of signing up to a service unless it is necessary for that service.
- Active opt-in: The GDPR makes it clear in the recitals that pre-ticked boxes are not a valid form of consent. Clear opt-in boxes should be used.
- Granular: Where there are various different types of data processing that may occur, allow for separate consent as much as possible. The ICO want organisations to be as granular as possible which means giving consumers more control over what they’re consenting to.
- Named: Always tell individuals who your organisation is and name any third parties that the data will be shared with. The draft ICO guidance states that terms like ‘we will only share your data with other men’s clothing retailers’ are not specific enough. The individual organisations that the data will be shared with need to be named.
- Documented: Maintain records of the consents you have. Record the following information: what the individual has consented to; what they were told at the time; and the method of consent.
- Easy to withdraw: Individuals should be easily able to withdraw their consent. Organisations must put in place simple, fast methods for withdrawing consent and tell individuals about their right to withdraw consent.
- Freely given: Consent should be freely given by individuals.
There are consequences if you fail to comply to these new changes which include fines, individual lawsuits and compensation claims therefore we encourage everyone to look at their existing policies and get prepared no matter what size of business.
Here are a couple of ways in which you can prepare:
- Appoint your own Data Protection Officer
- Prepare for the GDPR by reviewing the systemic ways you use data and look at what needs to change to meet the new requirements around the “right to be forgotten, right to erasure and the right to data portability.” (Computer Business Review, 2017)
- Data protection is not just about personal data and compliance. If you’d like to find out more about this topic here is a recently written an article on Cyber Security and how to protect your business.
- Many of the rules are similar to those in the current Data Protection Act (DPA), so if you are complying properly with the current law you’ll have a good foundation to build on.
If you would like any more information, please do not hesitate to contact Lydia who will be able to help you and point you in the right direction.