Part 3 in our Q and A series on GDPR readiness ...
Do individuals have the right to view the data we hold on them?
Yes. Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the Data Controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the Data Controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of Data Subjects.
To demonstrate transparency, your privacy policy should give clear guidance and include “Find out what information we hold on you” and “Remove all information about me” sections.
What about Data Subjects under the age of 16?
Parental consent will be required to process the personal data of children under the age of 16 for online services. Member states may legislate for a lower age of consent but this will not be below the age of 13.
What does the “Right to be Forgotten” mean?
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the Data Controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires Data Controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.
Does my organisation need to appoint a Data Protection Officer (DPO)?
DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
What does “Data Portability” mean?
GDPR introduces the right for a Data Subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another Data Controller.
How does Brexit affect GDPR?
If your organisation employs or provides services to EU citizens then you will need to comply with the GDPR, irrespective of whether or not the UK retains the GDPR post-Brexit. If your activities are limited to the UK, then the position (after the initial exit period) is less clear. The UK Government has indicated it will implement an equivalent or alternative legal mechanisms. The expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the UK Government, together with the fact that the GDPR provides a clear baseline against which UK business can seek continued access to the EU digital market.
What should I do now?
- Make sure the decision makers in your organisation are aware of GDPR.
- Conduct an audit of the personal data you currently hold. Where did it come from? Who is it shared with?
- Make sure individual rights are covered. How would you delete personal data or supply data electronically if requested?
- Review your privacy notices and make sure they’re GDPR compliant
- Review your procedures and plan for how you will handle personal requests within the timescales.
- Make sure you have the right procedures in place to detect, report and investigate data breaches.
- Designate someone to take responsibility for data protection compliance
Where can I find out more information?
If you have any specific questions you can send an email to connect@globocol.com. Alternatively, you may wish to visit the Information Commissioner’s Office (ICO) web page on GDPR.
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/