Data privacy is something that dominates our lives. We’re asked to hand over our personal information for seemingly everything that we do – from browsing the web to high-street shopping.
Although many of us are broadly aware of the risks involved when sharing our personal data, it often doesn’t get the attention it deserves.
It’s why, for the past sixteen years, 28 January has marked Data Privacy Day – an international event raises awareness about online privacy and educates people on the ways they can protect their personal information.
In the run-up to the event, DQM GRC is delving into some of the biggest obstacles that surround data privacy. Keep an eye out on our website for our upcoming whitepaper, Privacy By Design, but in the meantime, we turn our attention in this blog to the rules related to personal data processing.
Knowing how to collect people’s personal information responsibly is at the heart of data privacy. If you can do that correctly, you mitigate many of the risks associated with data protection.
The GDPR (General Data Protection Regulation) details exactly how organisations can achieve this. It contains three sections dedicated to data processing, which we look at in more depth in this blog.
A data controller is the person or group of people that decides when and why an organisation collects personal data. The position is integral to the GDPR, although it wasn’t originated with the Regulation. Organisations have always had to have oversight on these practices.
However, the role has become far more significant since the GDPR took effect, given the breadth of requirements that organisations must meet and the potential penalties for non-compliance.
Data controllers must determine things such as the types of personal data to collect (names, contact information, etc.), whose information to collect, and when and where data subjects’ rights apply.
Additionally, they must establish how long the data should be retained, whether to make non-routine amendments to the data, and whether personal information will be shared with third parties.
Data controllers are also responsible for complying with Article 5 of the GDPR, which sets out the principles that organisations must apply when processing personal data.
These principles require data controllers to ensure that personal information is:
- Processed lawfully, fairly and in a transparent manner;
- Collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes;
- Adequate, relevant and limited to what is necessary;
- Accurate and, where necessary, kept up to date;
- Kept in a form that permits identification of data subjects for no longer than is necessary; and
- Processed in a manner that ensures appropriate security of the personal data.
Lawfulness of processing
Under the GDPR, organisations must document a lawful basis for processing personal data. Article 6 outlines six bases that can be used, depending on the circumstances:
- If the data subject gives their explicit consent or if the processing is necessary
- To meet contractual obligations entered into by the data subject
- To comply with the data controller’s legal obligations
- To protect the data subject’s vital interests
- For tasks carried out in the public interest or exercise of authority vested in the data controller
- For the purposes of legitimate interests pursued by the data controller.
Organisations must document their lawful basis and clearly state why it applies. Many will be tempted to use consent, because it appears to be the simplest approach. However, the GDPR contains strict rules on how consent can be obtained and maintained.
Anyone that fails to acquire consent appropriately will be forced to delete any information collected using that basis and could face a heavy fine. As such, consent should only be sought if no other lawful basis is appropriate.
If an organisation does use consent as the lawful basis for processing, it must be able to demonstrate that is has met the GDPR’s extensive rules.
The most notable requirement is documented proof that consent was given freely and using a clear, affirmative action. Any requests for consent must be:
- Unbundled: consent requests must be separate from other terms and conditions.
- Granular: the request must contain a clear explanation of a user’s options to consent to different types of processing wherever appropriate.
- Named: the request must state which organisation and third parties will be relying on consent.
- Documented: organisations must keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented.
- Easy to withdraw: organisations must tell people they have the right to withdraw their consent at any time, and how to do this.
- Without an imbalance in the relationship: organisations must check that the relationship between the organisation and the individual doesn’t pressure the individual into given consent (such as an employee and employer, or a tenant and a housing association).
GDPR compliance support with DQM GRC
You can find more tips on data privacy and the ways you can stay on top of your regulatory requirements with our GDPR Gap Analysis.
With this service, our data protection experts will visit your organisation to determine your regulatory compliance posture. Using the GDPR RADAR™ tool, they’ll break down their findings into easy-to-understand visual guides.
DQM GRC specialise in working with large or complex organisations, helping them to understand how to apply the GDPR to their business practices, although we can also support smaller firms.
Our consultants are on hand to assess your current practices, understand your requirements, and advise you on the steps you must take to ensure GDPR compliance.