5 Key Things About Data Not To Miss in the GDPR

There’s a lot in the General Data Protection Regulation (GDPR) in terms of imposing many new responsibilities and sanctions on organisations with regards to data, consent and data breaches. Here are 5 Key Things About Data Not to Miss in the GDPR:

The GDPR has a principle of “purpose limitation”, under which personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. Consumers are allowed to withdraw consent and to ask to see what information is stored about them.

Accountability is a core principle. The GDPR asks companies to be accountable for their own decisions on how they collect and use personal data, and be able to have records and evidence of the decisions they made and how they made them. Companies need to be clear about why they need the data, what they are going to use it for, how they are going to keep it secure and the legal basis they are using to process the data.

Here are 5 key things not to miss about the GDPR responsibilities for your company.

#1. There are New Special Categories of Data

The GDPR introduces special categories of data, these are categories of sensitive personal data. In most cases, these can
only be processed with explicit consent and companies need to take care to prevent unauthorised use. Special categories of data are defined as data concerning:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data
• Data concerning health
• Data concerning a person’s sex life or sexual orientation 

#2. You Have One Month to Respond to Subject Access Requests 

GDPR gives individuals the right to obtain:

• Confirmation that their data is being processed
• Access to their personal data
• Other supplementary information (e.g. the information provided in your company’s privacy notices).

These are called Subject Access Requests or SARs.

The Regulation states that that information must be provided without delay and within at least one month of receiving the request. Where requests are complex or numerous, organisations will be able to extend the deadline for providing the information to three months. However, you must still respond to the request within a month, explaining why the extension is necessary.

Information must be provided for free

However, you are permitted to charge a “reasonable fee” when a request is manifestly unfounded, excessive or repetitive.

Electronic requests must be available

Organisations must provide data subjects with the option of making requests electronically (e.g. by email) as well as physically. Where a request is made electronically, the information must be provided in a commonly used file format.

#3. Data Portability is a New Right Under GDPR

The right to portability is a new right designed to make it easy for consumers to switch accounts. This means the individual has the right to receive his or her personal data in a structured, commonly used and machine-readable format (see Article 20 of the GDPR text for further information).

This right applies when the processing is based on consent, or the data is necessary for the performance of a contract.

You must provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.

If the individual requests it, you may be required to transmit the data directly to another organisation if this is technically feasible. However, you are not required to adopt or maintain processing systems that are technically compatible with other organisations.

#4. Consent Now Requires Positive Indication of Agreement

Under the GDPR, individuals have a stronger right to have their data deleted where customer consent is the only justification for processing. You will have to explain your legal basis for processing personal data in your privacy notice and when you answer a Subject Access Request.

If you do use customer consent when you record personal data, you should review how you seek, obtain and record that consent, and whether you need to make any changes.

Consent must be ‘freely given, specific, informed and unambiguous.’ Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. They must know exactly what they are consenting to, and there can be no doubt that they are consenting.

And most importantly obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity.

#5. All Data Breaches Must be Reported Within 72 Hours

The data controller must notify the supervisory authority of a breach within 72 hours or without undue delay. Notification is mandatory and must cover the following elements:

• Nature of the breach
• Number of data subjects
• Categories of personal data
• Proposed mitigation
• The possible consequences of the data breach
• Contact details of the DPO

The GDPR will require some organisations to designate a Data Protection Officer (DPO). The important thing is to make sure that someone in your organisation, or an external data protection advisor, takes responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively.

Is your company prepared for GDPR? What have you put in place for Subject Access Requests and positive consent? Tell us your thoughts in the comments below. 

Join our conversation ‘all about data’ on Twitter and LinkedIn. And keep up with what’s going on in the world of data by trusting us with your email for monthly mailings (and we store it on Rinodrive so it’s super safe).