Categories: GDPRPolicy

GDPR: What it means to everyone else

What is all this GDPR?

It’s not just businesses that need to know about GDPR. The GDPR is all about you.

The GDPR are a set of new regulations that say how organisations can collect, use and store data about you. It also states what rights you have to your data, and how you can get hold of the data any organisation has about you.

Giving consent

One of the big changes is related to how organisations can get consent for processing data about you.

Typically an organisation will use consent as a basis for sending you marketing information, this is why you often see a checkbox that says something like “Tick here if you don’t want to receive our marketing letters” and a whole string of legal bumf saying that they may share your data with selected third parties and associates.

Under the GDPR that is no longer sufficient. Using consent is still going to be one of the best ways for a company to get your permission to market you, but there are some significant changes.

First of all, you have to actively opt-in, consent can not be assumed. This means that uning phrases like ‘Continue browsing if you accept our terms and conditions‘ is not sufficient, there has to be some action on your side to show you have chosen to give your consent. This is likely to still be a checkbox, but one that you have to tick to give consent (i.e. organisations can’t say ‘tick here to opt-out’ and they can’t pre-tick the box)

Secondly, the consent needs to be specific and for a single purpose only. This will result in there being more checkboxes on forms, but it will give you more control.

A company can won’t be able to say something like “Tick here if you agree to our T&C’s and you’re happy to receive our newsletter” or hid things in the Privacy Policy, like a vague phrase about passing your details onto selected 3rd parties. Instead they will need to have a checkbox for each permission they want (One to say you’re happy for marketing, one to say you’re happy for them to hold your data, one to say you’re happy for them to pass your details on and so on)

Thirdly, you have the right to be informed. This means at the point where you’re giving consent (on the same screen as where the checkbox is) there needs to be enough specific information for you to make an informed decision.

While a link to a privacy policy can give more detailed information, the organisation needs to give you the key points on the front page. This should include what information they are collecting, why they are collecting it, how long they will retain it, who will get access to it, and if it’s being passed outside the EEA or to a third party, why and on what terms.

Lastly, the wording on the consent form and on the privacy policy needs to be clear and understandable. Complicated legal terms should be replaced or explained in greater detail so the average individual can understand what they are giving consent for.

It’s not just consent

There are a few other options open to organisations for processing your data that don’t rely on consent. If an organisation is going to use on of these other options, they need to explain this to you. They also need to be able to demonstrate that the reason they have chosen a particular option is lawful and complies with other GDPR criteria. In most cases a company will probably use the consent basis as it’s less ambiguous.

It’s not just about marketing

The GDPR is not just about marketing either, it covers any personally identifiable data. This includes employment data and contact data if it identifies you as an individual.

The data doesn’t have to specifically name you to be classed as personally identifiable, a reference number, geographic information, biometric information or any other type of information that singles you out is classed as personally identifiable.

Your rights

There are 8 specified rights you have over your data under the GDPR;

  1. Right to be informed
    You have a right to be informed at the point of data collection;
    WHAT information is being collected about you
    WHY your information is being collected
    HOW your information will be used
    WHO will be able to access your information
    WHERE your data will be sent/stored
    The policy wording needs to be clear, legible, transparent and precise. So simply mentioning ‘3rd parties’ is no longer sufficient, you need to state who, why and how for each case.
  2. Right of Access
    You have the right to access the personal information you store about you, including supplementary information, in an easily accessible and understandable format.
    Any technical information needs to be explained in a clear way
  3. Right to amendment
    If the information an organisation has on you is incorrect, you have the right to have it rectified.
  4. Right to deletion
    Commonly reported as ‘Right to be forgotten’ you have the right to have your personal information deleted where there is no legal reason for retaining it, if you withdraw your consent for the continued processing, or if the information is no longer needed.
  5. Right to object
    You have the right to object to processing of your data for direct marketing,
  6. Right to transport
    you have the right to data portability, which means that where an organisation performs automatic processing of your data. you have the right to have a copy of that data in in a format that allows you to reuse the information for your own purposes or with another service.
  7. Right to rescind
    You have the right to block processing of personal data even after consent was initially given.
  8. Right to non-automated profiling
    If the organisation is using automated profiling that may result in you being prejudiced against or that is related to a decision with significant social or legal implications, you have the right to request the information is manually processes by a human with sufficient authority to action the outcome.

In most cases, the organisation will have 30 days to respond to your request. Responses must be provided free of charge, and in a readily accessible format. If there is a lawful reason to not action your request, or ask for further information, the organisation needs to notify you within 30 days.

#WeCanHelp

There’s a lot of work that needs to be done getting GDPR compliant, we can take the burden off you and create the policies, documentation and processes you need to make sure your organisation is compliant.

We can continue to support you by processing your incoming user requests and monitoring your processes to make sure your organisation remains GDPR compliant.

Contact Us Today!

Some of the GDPR specific services we offer include:

  • Data Protection Officer Services
  • Policy Writing
  • Data Handling
  • ICO Registering
  • Process Monitoring
  • Process Assessment

it@tinsleynet.co.uk

07825 650122

Contact Us

Share
Leave a Comment