The General Data Protection Regulation (GDPR) is the most significant development in data protection law for more than two decades and will have far-reaching implications for businesses and organisations.
The GDPR’s aim to put individuals back in control of their data means businesses will need to look at every aspect of how they collect, manage and protect data.
New rights for individuals and requirements to respond and take appropriate action “without undue delay” will require organisations to ensure they have appropriate processes and resources in place.
Non-compliant data controllers and processors face significant fines and penalties after the GDPR comes into force in spring 2018.
PRIVACY NOTICES – RIGHT TO INFORMATION
The GDPR includes prescriptive rules on the information which organisations must provide to individuals before collecting personal data.
Organisations must include the following information within their Privacy Notices:
- Purposes for collecting and processing personal data;
- Legal basis for processing the data;
Details of any recipients of personal data they collect;
- Contact details for the Data Protection Officer (where applicable);
- Right of portability and how long the data will be stored;
- Right to withdraw consent at any time whenever the processing is based on consent (where no other lawful basis for the processing exists);
- Right for data subjects to request access to their data;
- The existence of automated decision-making, including profiling, right of rectification or restriction of processing;
- Right to lodge a complaint with a data protection supervisory authority (in the UK this would be the Information Commissioner’s Office while membership of
the EU remains); and
- Details of any transfers of personal data outside of the European Economic Area.
The Notice must also be concise, easily accessible, using clear and plain language that is tailored to the appropriate audience. For example, policies aimed at children must be drafted in a way that they can understand.
HOW DOES THIS IMPACT AN ORGANISATION?
Organisations will need to strike a balance between providing too much information and being too high level to ensure they meet the transparency requirements to demonstrate effective notice or consent.
To read our thought leadership paper please complete the form below: