The potential effects and sums involved for non-compliance, which is up to €20 million or 4% of annual net revenue for serious breaches, means that everyone is taking the new GDPR seriously. But many smaller businesses are only now looking at what needs to be done.
It’s not too late however, and GDPR does not need to be too daunting. For the most part, GDPR will not be too onerous as long as the correct procedures have been put into place. This means putting in the leg work now to ensure compliance in time for the deadline.
What does it mean for you?
Companies will fall into one of two definitions, data controllers and data processors.
A data controller is the person or company who determines the purposes for which, and the manner for which, any personal data is processed.
Data processors are people or companies who process personal data on behalf of a data controller. (Employees of data controllers are excluded from this definition).
A substantial amount of companies will fall into the data controller category, with which I deal with here.
GDPR – the mantra
Consent must be;
- Informed;
- Freely given
- Clear and concise.
For consent to be informed, the data subject should be aware of at least the data controller’s identity, what the data collected will be and how it is collected and the intended purposes of the processing.
If consent is given in the context of a written document that also concerns other matters (such as a contract or T&C’s), data controllers must present the requirement to give consent to the processing of personal data in a way that is clearly distinguishable from these other matters. The data controller should not make consent a determining factor of entering into said contract. Companies should therefore review their contracts, terms and conditions and other documents to ensure that the section on consent is clearly identifiable and clearly written with information on how to withdraw consent (and the right to be forgotten or how to amend your details) at any time being given.
Silence, pre-ticked boxes or inactivity should not normally constitute consent. When the processing has multiple purposes, consent should be given for all of them.
Form of consent
A statement can include a written statement (including by electronic means) or an oral statement (although it is highly advisable that written statements are used so that these can be kept and evidenced).
Examples of affirmative actions include:
- Ticking a box when visiting a website;
- Choosing technical settings for an online service;
- Pressing a specific button to continue a call, once you have been made aware of the data policy;
- Any other conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data.
Withdrawal of consent
Data subjects have a right to withdraw their consent at any time (although this will not affect the lawfulness of any processing carried out before the withdrawal). Data subjects must be informed of their right to withdraw their consent and consent must be as easy to withdraw as it is to give. This is likely to affect the practice where the granting of consent is made easy for users, for example by ticking a box on a website, but the withdrawal of consent requires an email or even a postal notification. Ideally, granting consent and withdrawing consent should be made in the same way i.e. by clicking on a link/ticking a box.
GDPR for employees
Employers hold a large amount of data (some sensitive data) about their employees. In the same way that clients and customers have the right to know what data is being held, by whom and why, so do employees.
The requirements for this vary somewhat in that an employer must be allowed to hold and use some of this data for its employees in order to carry out its primary function, that of employing and paying its staff. However, a separate privacy policy is advisable rather than a paragraph in an employment contract. The policy should contain all of the information as to what data is collected, how it is obtained, what is done with it and detail an employees’ rights in respect of this.
General matters
Aside from the various documents, wording and policies a business will need to ensure it is GDPR complaint, businesses will need to also consider the practicalities of ensuring its internal processes are up to scratch – such as storing and keeping data secure. An internal system for running their database will need to be set up. Businesses will also need to ensure that any third parties, service providers or suppliers are compliant so a review of its contracts with, for instance, outsourced payroll companies is crucial.
If you need assistance with getting your business ready for GDPR, please contact Ilinca Mardarescu.