The introduction of manifold legislative changes to the way that organisations gather, retain and use personal data is now just weeks away.
This is of course, the new Euro-wide GDPR requirement which comes into play on 25th May.
Unless you have already taken the time to drill down into the detail, you may not be aware just how much is required and how significant these changes are going to be.
On a very basic level, under the GDPR changes, every individual will have the right to know:
- Who is storing personal data about them
- Why they are retaining this and how they plan to use it
- That they have given agreement for this data storage and its use.
Is this no longer a toothless tiger?
Initially I felt the old directive always was something of a ‘toothless tiger.’
By this I mean; it seemed IMHO always a question of us all ticking boxes to show we have complied with data protection rules.
As I dug deeper however, it became clear that GDPR is much more than a basic tracking exercise and is complex and explicit.
But the same may not be true under GDPR.
Privacy policies should embed the principles of fair and transparent processing and require companies to always use clear and appropriate language whilst informing users and sharing information.
As a part of this, Recital 39 of the GDPR legislation tells us that:
‘Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing.
‘In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data.
‘The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum.
‘Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review’.
Recital 39 also tells us that:
‘Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted.
‘Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.’
And that is not all. Recital 60 says:
‘The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes.
‘The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed.
‘Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling.
‘Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data.
‘That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.’
The GDPR must be taken seriously
Worried yet that you might need to revisit how you look at data protection? You should.
Do remember, these requirements are no joke and so far I have only covered one of the core GDPR principles.
There is a lot of detail to take in here and most organisations will benefit from taking professional advice.
For example, The Article 29 Working Party (WP29) has published a 35 page document providing guidelines on transparency.
Although lengthy, these guidelines do provide further clarification of the different elements of transparency such as what they consider to be ‘clear and plain language’ and also what they mean by ‘concise, transparent, intelligible and easily accessible.’
WP29 also goes into detail about the information that must be provided to data subjects. This includes content, design and availability requirements.
Actions to take
One of your key steps therefore to becoming GDPR compliant, is to ensure you will fulfil these requirements.
To help things along, I list here the main requirements:
In addition to the requirements I have covered above, you’ll need to include information such as detailing the right of the data subject to lodge a complaint with the relevant authorities, whether the data subject is obliged to provide the data and what the consequence would be, if this is not provided.
Content should also show the process behind any automated decision making, including profiling.
These by the way, should not merely be nested pages requiring several clicks to get to the information and all information shared, must be easily accessible.
The design therefore, should ensure that the data subject has a clear and easy overview of the information (and where to go for any additional published information).
It’s also important to check that any content you provide is not repetitive and includes no conflicting information.
The information on processing (which is likely to have the most impact) should be one of the first pieces of information accessible.
WP29 also provides very detailed guidance on transparency tools like ‘push’ and ‘pull’ notices and privacy dashboards.
3. Data availability
We’d expected that, but WP29 also tells us that based on the circumstances of the processing, other formats may need to be used.
If a contract is entered into by ‘postal means’ this may include hard copies of cartoons, infographics and flowcharts.
In addition, in a highly connected IoT environment this may include icons, QR codes, voice alerts, written setup instructions, SMS messages/emails, public information campaigns and more.
Just publishing a policy on your website will not be enough.
GDPR benefits and reassurance
As you are no doubt aware, the new GDPR legislative changes will have a huge impact on our businesses and lives.
Whilst any organisation will have an array of compliance requirements (and a great deal of work to do) do remember that there are many positives included here.
As I outlined at the beginning of this post, GDPR will enable us all to know what personal information is stored about us, who is keeping it and how they are using it.
Most importantly, we will also know that if we ask an organisation to remove our personal information from their records, this will be done.
However, because this will be law (with fines for non-compliance) the key for all organisations is to get the detail right.
I can help
If you require tailored advice and support relating to GDPR compliance and legislation for online payment companies, then please contact me, Nadja van der Veer at Payment Counsel on (+31) 6-4343-6023 or via firstname.lastname@example.org
Please note: This blog does not contain any legal advice and should not be construed as such.