There are only six weeks to go until the new General Data Protection Regulation (“GDPR”) comes into force. If you are yet to start preparing your business you may be starting to panic, but it isn’t too late to act. Follow LawBite’s easy to digest countdown guides each week from now until enforcement on May 25th, in which we will cover each of the six key principles of the GDPR and explain what you need to do in order to get your business up to speed.
Principle 1: Data must be processed lawfully, fairly and in a transparent manner in relation to individuals
GDPR seeks to ensure that personal data is processed ‘lawfully, fairly and transparently’ in relation to individuals, without adversely affecting the rights of a data subject. Transparency is a key theme running through GDPR but what does this really mean and how can compliance be demonstrated? It’s actually pretty simple if you think of personal data as only being on loan to you from the data subject. Take the same kind of care with their data as you would if you were borrowing a friend’s car, for example. And remember at any time they can ask for it back, check you are using it properly and importantly remember that they retain control over what you do with it.
The legislation requires that you make available a privacy notice at the time you are collecting an individual’s data. Make sure any notice is fit for purpose and sets out in clear, unambiguous language how you collect data, what kind of data you are collecting, why it is being collected , how long it is kept for, whether or not it is passed on to third parties and explain the data subject’s rights, including their right to withdraw their consent and their right to lodge a complaint and, importantly, how they can contact you. Now is not the time for jargon and it is important to be explicit and say exactly what you mean! It’s also obviously important to mean what you say, so ensuring that robust data handling policies are in place but are also understood, embraced and adopted throughout your business will stand you in good stead.
In terms of the lawfulness of processing personal data, most organisations will rely on the ground of consent. Any consent you seek to rely on must be freely given, specific, informed and unambiguous so pre-ticked boxes for example, are no longer an acceptable way of obtaining consent. Any existing consents must be brought into line with GDPR so if you are in any doubt, obtain new consents and keep clear records showing you have done so. Of course, consent is not the only legal basis to rely on but whichever you opt for, in the spirit of being fair and transparent, it must be clearly identified in your GDPR documents and privacy notice.
Overall, the main things to remember are that you must tell people what you are doing with their data and ask their permission to do it. And never assume an individual’s consent from their failure to respond!
Next week part two: The purposes for which data may be collected under GDPR….don’t miss it!
To consult with Jessica, please submit an enquiry for a free 15-minute consultation or call our dedicated GDPR Hotline 0845 241 1843.
In addition to GDPR templates the package contains a 30 minute GDPR audit consultation and an additonal 2 hours of specific GDPR legal advce all for only £495 + VAT (versus £675 + VAT)