Control where your data is and how it’s stored, shared and accessed
Articles 13 and 14 of the GDPR explicitly require companies to inform people (or data subjects) of key things about how their personal data is collected, what purpose it is being used for, the legal basis for processing their data and more.
Under the GDPR privacy notices must be concisely written, intelligible, transparent and easily accessible.Privacy notices must be concisely written, intelligible, transparent and easily accessible Click To Tweet
Practically this means that the policy should:
- be displayed prominently and not hidden amongst other terms and conditions that would make people have to read large amounts of text;
- for online privacy policies you should adopt a layered approach, so show a short summary of the important or unusual uses of their personal data and then provide a link to click for information that is more detailed;
- use language that is clear, straightforward and free from jargon;
- use headings to break the policy down into relevant sections.
1. Who They Can Contact And How They Can Contact Them
You also need to give people clear information on how to contact the right person in your organisation.
Practical tip: If you have a form on your Contact Us page, then add a “data request” option to it. Or add clear information on your Contact Us page about how to get in touch with the right person.
Recommended reading: 5 Key Things About Data Not to Miss in the GDPR
2. What Legal Grounds You Are Using to Collect Personal Data
There are six legal grounds under the GDPR for processing personal data.
Where the person has opted in and given consent for one or more specific purposes.
The data subject must be told that they can withdraw their consent at any time (and it needs to be as easy to withdraw consent as to give it). Consent also needs to be verifiable, so record keeping relating to consent is important.
2. Contractual necessity
Where it is necessary for a contract to take place.
3. Lawful processing
For compliance with legal obligations.
4. Vital interests
This could be for vital interest for the person or to serve public interest.
5. Public interest
E.g. for scientific research, public health etc.
6. Legitimate interest
Perhaps the trickiest to get to grips with but think of it this way, even when data processing is necessary to the controller, such legitimate interests must be weighed against “the interests or fundamental rights and freedoms of the data subject”. Should data controllers justify processing without consent based on this subparagraph, they will need to be prepared to prove legitimate interests (a higher burden) relative to the implied general interests of data subjects.
The GDPR also explicitly focuses on the case when the data subject is a child and parental permission is always needed. Moreover, the GDPR also explicitly says that the legal ground of legitimate interest doesn’t apply to personal data processing by public authorities in the performance of their tasks. If the legal basis for processing is legitimate interest, then organisations will have to set out in their privacy policies what exactly their legitimate interest is.
Recommended reading: There May Be Some Surprising Benefits of GDPR
3. What Personal Data You are Collecting and Their Rights
You need to tell people what personal data is collected (for example name, address details, card details, technical information (such as IP address) etc); if you are using cookies then the type of cookies used should be detailed too.
You need to inform people of their rights and how they can exercise them. There are 6 particular rights of individuals under GDPR:
- Subject access – If a customer or prospect submits a Subject Access Request (SAR) then you have to respond within 30 days and supply them with a copy of the information you hold on them.
- To have inaccuracies corrected – Having obtained a copy, if they require inaccuracies to be corrected this has to be done in a timely manner.
- To have information erased – If someone wants to be “forgotten”, then you have to delete them from your data.
- To object to direct marketing – You must remove them from your marketing communications if requested. And more importantly, you now need to be able to show that they gave consent to be on your marketing list.
- To restrict the processing of their information – This means that an individual can limit the way that an organisation uses their data. It’s an alternative to requesting that their data be erased. This includes automated decision-making.
- Data portability – You need to be able to provide the data electronically and in a commonly used format.
Recommended reading: A Practical Guide to the Principles of GDPR and Data Protection
4. How Long the Personal Data Will Be Kept For
You have to tell people how long their personal data will be retained for. This means you should:
- review the length of time you keep personal data;
- consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
- securely delete information that is no longer needed for this purpose or these purposes; and
- update, archive or securely delete information if it goes out of date.
Recommended reading: How to Leverage GDPR For Marketing Your Business
5. Whether Personal Data is Processed Outside of the EAA
If you are processing their personal data outside the European Economic Area (EEA) you have to inform them and also tell them what protections are in place to safeguard the personal data.
Finally, don’t forget these:
- A reminder that people can withdraw consent.
- Tell people that they can complain to the relevant supervising authority.
- Give them information about automated decision-making, including profiling that you are using.
Ready to give Rinodrive a go? Signing up for a free trial is just
Join our conversation ‘all about data’ on Twitter and LinkedIn. And keep up with what’s going on in the world of data by trusting us with your email for monthly mailings (and we store it on Rinodrive so it’s super safe).