Itâs not just businesses that need to know about GDPR. The GDPR is all about you.
The GDPR are a set of new regulations that say how organisations can collect, use and store data about you. It also states what rights you have to your data, and how you can get hold of the data any organisation has about you.
One of the big changes is related to how organisations can get consent for processing data about you.
Typically an organisation will use consent as a basis for sending you marketing information, this is why you often see a checkbox that says something like âTick here if you donât want to receive our marketing lettersâ and a whole string of legal bumf saying that they may share your data with selected third parties and associates.
Under the GDPR that is no longer sufficient. Using consent is still going to be one of the best ways for a company to get your permission to market you, but there are some significant changes.
First of all, you have to actively opt-in, consent can not be assumed. This means that uning phrases like âContinue browsing if you accept our terms and conditionsâ is not sufficient, there has to be some action on your side to show you have chosen to give your consent. This is likely to still be a checkbox, but one that you have to tick to give consent (i.e. organisations canât say âtick here to opt-outâ and they canât pre-tick the box)
Secondly, the consent needs to be specific and for a single purpose only. This will result in there being more checkboxes on forms, but it will give you more control.
A company can wonât be able to say something like âTick here if you agree to our T&Câs and youâre happy to receive our newsletterâ or hid things in the Privacy Policy, like a vague phrase about passing your details onto selected 3rd parties. Instead they will need to have a checkbox for each permission they want (One to say youâre happy for marketing, one to say youâre happy for them to hold your data, one to say youâre happy for them to pass your details on and so on)
Thirdly, you have the right to be informed. This means at the point where youâre giving consent (on the same screen as where the checkbox is) there needs to be enough specific information for you to make an informed decision.
While a link to a privacy policy can give more detailed information, the organisation needs to give you the key points on the front page. This should include what information they are collecting, why they are collecting it, how long they will retain it, who will get access to it, and if itâs being passed outside the EEA or to a third party, why and on what terms.
Lastly, the wording on the consent form and on the privacy policy needs to be clear and understandable. Complicated legal terms should be replaced or explained in greater detail so the average individual can understand what they are giving consent for.
There are a few other options open to organisations for processing your data that donât rely on consent. If an organisation is going to use on of these other options, they need to explain this to you. They also need to be able to demonstrate that the reason they have chosen a particular option is lawful and complies with other GDPR criteria. In most cases a company will probably use the consent basis as itâs less ambiguous.
The GDPR is not just about marketing either, it covers any personally identifiable data. This includes employment data and contact data if it identifies you as an individual.
The data doesnât have to specifically name you to be classed as personally identifiable, a reference number, geographic information, biometric information or any other type of information that singles you out is classed as personally identifiable.
There are 8 specified rights you have over your data under the GDPR;
In most cases, the organisation will have 30 days to respond to your request. Responses must be provided free of charge, and in a readily accessible format. If there is a lawful reason to not action your request, or ask for further information, the organisation needs to notify you within 30 days.
#WeCanHelp
Thereâs a lot of work that needs to be done getting GDPR compliant, we can take the burden off you and create the policies, documentation and processes you need to make sure your organisation is compliant.
We can continue to support you by processing your incoming user requests and monitoring your processes to make sure your organisation remains GDPR compliant.
Contact Us Today!
Some of the GDPR specific services we offer include:
Leave a Comment