In my previous post, I briefly introduced GDPR, but there is so much more to it than what one article warrants. In today’s article, I begin to dissect this perplexing notion of data protection.
If you are a controller or processor, you should have a legitimate purpose to collect and/or process personal data. You can process this information to meet requirements of contracts, legal obligations, vital interests, and or public interest. Getting consent from the person for processing his or her personal information is mandatory. Should the need arise to collect or process personal information, you should back it up with legitimate interest.
Keeping this in mind framing of the consent forms should be taken seriously.
Consent – Language used in the consent form or document must be free of jargon so that the common person can understand it. It should avoid long illegible terms and legal conditions. These forms requesting consent must be understandable and easily accessible. It must mention the purpose for which data is being collected or processed. It must be distinguishable from other content or matters and must not confuse the person consenting. Withdrawal of consent should be equally easy to understand and follow. Consent must not have pre-selected choices for each purpose, and provision should be made for the person to select them. Additionally, it must not be linked to the provision of services that are agreed in the contract. For children under the age of 16 (this age can vary for different member states of the EU) consent must be obtained from parents. Organizations should not start processing of personal information unless written or recorded consents are received from the person if legitimate interest is not established for collecting and/or processing personal information.
Privacy rights – Let us understand privacy rights provided to individuals by the GDPR. Every EU citizen has the right to ask the organization and get information on
1. What personal data is getting processed and why it is getting processed?
2. Access to their personal data being processed. They can view their personal data and consent forms provided by them to verify.
3. Amend data in case of inaccuracy or updates to that
4. Withdrawal of the consent
5. Raising objection to process the data
6. Raise objection for automated processing (using information for behavior, personality analysis with the help of a tool, which does automated processing)
7. Deletion or to be forgotten. This is not an absolute right and the organization can defend based on the retention schedule and statutory requirements, if any
8. Port the data to another processor
It is important for the organizations to provide consent forms and be ready to meet requirements of privacy rights. Organizations will have to review their published privacy notice and make changes if required based on the following requirements,
1. Mention personal information that is collected and the purpose of collection
2. Processing activities and the purpose
3. Elaborate type of sensitive data that is collected
4. To whom and why data transfers are done
5. Access provision mechanism if requested by the person
6. Contact details from the organization for getting more information
7. Information on the protection of the personal data
We will define few more key terms in my next blog. Once we are familiar with these terms, it will be easy to identify various scenarios that an organization could face and actions to be taken to protect the personal information. Let me mention here ISO 27001:2013 implementation in your organization will help you meet the physical and logical security needs to comply with the GDPR, however that is not good enough. That will serve only 50 to 60 percent of the requirements of GDPR. The organization needs to do more to meet it 100 percent, a topic that would be discussed in my subsequent blog posts.