Head of policy and engagement at the Information Commissioner’s Office, Jo Pedder, points to useful guidance on the new EU General Data Protection Regulation that is set to come into force come May 2018.
The regulation will bring in some major changes as to how organisations are expected to look after personal data and the responsibilities in disclosing them to the authorities and affected individuals. The changes could mean huge punishments for organisations who fail to take their data protection responsibilities seriously.
Steps to take ahead of the changes
As the U.K.’s representative for the EU’s Article 29 Working Party, the ICO has provided a lot of useful tips about the changes, including a publication of 12 steps to take right now ahead of the GDPR coming in effect on 25 May 2018:
- Increase awareness of the GDPR for the company heads, decision makers and shareholders
- Document and organise all personal data held
- Review current privacy notices and make necessary updates to comply with the new laws
- Do the same as above for work protocols and how to handle with subject access requests
- Check individual rights including method of use, sharing and removal
- Identify the lawful basis for processing personal data
- Review how your organisation seeks, records and manages consent from data subjects
- Review parental/guardian consent for processing personal data belonging to children
- Set up a data breach response procedure that mitigates damage as much as possible
- Read the ICO’s code of practice on Privacy Impact Assessments
- Assign a Data Protection Officer who will ensure data protection compliance
- Check your responsibilities for cross-border data processing
Changes to profiling
The GDPR is set to change profiling, which is where an individual’s personality, behaviour, interests, habits and other characteristics are identified, analysed and predicted. Organisations may gather information like education, browser history, financial data, purchase history etc… in order to market goods and services they think an individual wants or needs.
Profiling has grown exponentially in the last few years to the stage where the presence of online personal data is rife. The GDPR is, however, set to increase the rights for data subjects and raise the bar on obligations for data controllers, which may result in huge changes to the way companies are advertising on the internet.
After 25th May 2018, organisations will need to show that the personal data they obtain is minimised, rather than gathering masses and masses of information in case it can be used for various purposes later. This information will need to be accurate given that inaccurate information can lead to organisations making the wrong classifications and decisions. The GDPR also calls for proper retention of obtained personal data by regularly reviewing the data to make sure it is still “relevant for the purpose.”
Changes on consent
If an organisation is relying on consent for the legal basis of obtaining personal data, that consent is only valid if it is “freely given, specific, informed and unambiguous.”
However, there are some circumstances when such consent may not be needed:
- When it is necessary for the performance of a contract
- Or it is necessary for the purposes of the controller or third party’s interest
The key word here is ‘necessary’. The GDPR will expect organisations to be able to evidence necessity. These new provisions should help to ensure that organisations aren’t just gathering huge amounts of data haphazardly to be put in a giant digital box for them to dig into whenever they want. It may also helpfully restrict the sale of information as well.