As we enter 2018, time to prepare for the EU General Data Protection Regulation (GDPR) is running out. 25th May is the deadline to ensure compliance, and in part two of this three-part blog series we discuss one of the most hotly debated aspects of the new legislation: has the data owner consented to having their Personally Identifiable Information (PII) stored and processed?
Perhaps the greatest change to the new EU GDPR compared to the outgoing Data Protection Act is the strict approach to user consent. As the proliferation of connected systems and technologies accelerates the magnitude of personal data, ensuring PII is not only securely stored, but also used with the data owner’s permission, is vital to achieve compliance with the new legislation.
A lawful basis for storing data
All businesses must have a lawful basis to store PII. This could be for a range of uses such as contractual (i.e. company employees), compliance with companies’ legal obligations, safeguarding the interest of data subjects, and for legitimate interest. Where the lawful basis for storing the data is by consent, it must be freely given and be explicit in nature. This could be obtained by clicking a clearly labelled opt-in box, for example. An organisation will need to achieve this consent for each purpose that the data will be used. Once consent is granted for a specific lawful use, this cannot be swapped for another purpose without further consent.
The lawful basis for processing data can be identified and documented within a company by updating its privacy notice. The consent must also be necessary, and cannot be used as a quid pro quo for access to certain services. These new rules are set to have a great impact on marketing teams in particular. For example, providing a free service such as a mobile app in exchange for access to personal data will no longer be viewed as valid consent.
Furthermore, PII stored for other marketing purposes, such as e-mail marketing databases, should also be stored with the consent of the data owner, and the consent must be valid and up-to-date. While this may sound like a daunting prospect, complying with the GDPR in this manner presents the perfect opportunity for organisations to clean up their databases and ensure that consent to store and process PII is gained going forward.
There are severe consequences for non-compliance with the EU GDPR, but with guidance from a qualified practitioner, your business can overhaul its stored PII and avoid fines by implementing best-practice measures for data security. We can help your business prepare for the new regulations by conducting an Organisational Compliance Assessment which will produce a clear and actionable road map to compliance.