GDPR: What Companies Need to Make Available to Consumers
GDPR: What Companies Need to Make Available to Consumers
The GDPR-era has commenced a week ago and the dust has begun to settle. So, what’s next? Everyone has been inundated with notices from companies explaining changes to their policies and seeking consent from users over the past few weeks. These changes relate to various provisions of the GDPR, and as companies adopt compliance controls to manage user data, the effects of the GDPR will continue to surface.
The GDPR gives authority to users to decide the extent by which their personal data can be used by organizations. The GDPR seeks to regulate the use of such personal data collected by businesses by defining the boundaries of data collection, data processing and data use with the aids of policies, notices, consent and access requests.
Should all businesses obtain ‘consent’?
It depends. If your organization does not process personal data for identification of end users, there is no need to obtain any consent. However, it is recommended that an express consent mechanism is in place to reflect your organization’s respect for privacy and user data.
What should businesses address for a GDPR-compliant ‘consent’?
GDPR requires consent to be an affirmative indication of a user’s wish for processing personal data. To elaborate, a valid consent should be:
- Express, explicit and clear;
- Informed, unambiguous and freely given;
- By way of a statement or an affirmative action;
- Independent of other terms and conditions;
- Intelligible and easily accessible, using clear and plain language.
An explicit consent statement should explain the extent of personal data being collected, processed and transferred. Associated risks should also be included. An explicit consent with a clear audit trail is a pre-requisite for processing sensitive data, automating decision making, and creating user profiles and international data transfers.
The GDPR has empowered users with the ‘Right to be Forgotten,’ i.e., the users can withdraw consent given earlier and seek deletion of existing user data. Organizations should make suitable provisions to enable withdrawal of consent that was provided earlier by users. Records should also be maintain with all withdrawals and related actions.
What should businesses do to inform users of data processing?
The GDPR requires businesses to adequately inform users on multiple facets of data collection, recipients of data, data access procedures and timelines of data storage in the form of ‘Fair Processing Notices’. Here is a bird’s eye view of the mandatory contents of notice:
- What information is being collected? - Details and categories of personal data collected;
- How is the information being collected? - Methodology of collecting personal data;
- Why is specific information being collected? - Legal basis and justification for collecting personal data;
- Who is collecting it? - Identity and contact details of applicable businesses;
- Who will the data be shared with? - Recipients of underlying personal data;
- How long will the information be stored? - Period of storage;
- How will it be processed? - Purpose, intent and legal basis for processing data;
- How will it be transferred? - Safeguards and data retrieval mechanism in case of international data transfers;
- How should a user access personal data after consenting? - Data access request and data portability;
- How can consumers enforce their Right to be Forgotten? - Request deletion of personal data; withdrawal of consent;
- Who should consumers contact when inquiring about personal data or other concerns? Contact details for the data protection officer.
Businesses should ensure that data is used in compliance with the consent obtained. If businesses intend to use the data for any other purpose, additional consent is warranted specific to the new use. This means that businesses can no longer utilize available user data for marketing and targeted advertising without prior user consent.
What should businesses do to comply with data access requests?
The GDPR requires organizations to design and implement suitable user access forms with options to view, add, edit and delete data. Users shall be able to request access and electronically download their personal data collected and processed without charge. A reasonable fee may only be assessed when a task involves some other administrative costs.
Where the international data transfer is involved in data storage and retrieval, businesses should inform users of the associated risks and safeguards in place. In addition to data access requests, users also have the right to rectification, right to erasure, right to restriction of processing, right to data portability and right to restrict automated individual decision making/ profiling. Businesses should ensure suitable policies are in place to address the following:
- Right to rectification - Option to rectify inaccurate personal information by data completion or providing a supplementary statement;
- Right to erasure - Option to erase personal data pursuant to withdrawal of consent, unlawful processing, inessential purpose and legal requirements;
- Right to restriction of processing - Option to restrict personal data processing on account of inaccuracy, unlawfulness and legal requirements;
- Right to data portability - Option to receive personal data in a structured, commonly used and machine-readable format and transmit to another business; and
- Right to restrict automated individual decision making/ profiling - Option to object to decisions based on automated processing and individual profiling causing any legal consequences.
Businesses should address all data access requests within 30 days (extended by sixty days on a need basis for complex and voluminous requests). Non-compliance may result in complaints to supervisory authority, legal risks and hefty fines.
As the GDPR continues to unfold in real time, businesses and compliance professionals will learn more about these provisions’ application to actual fact patterns, and development of best business practices will come soon after. This is an exciting but trying time for compliance and privacy professionals. Companies that collect user data must remain informed and ahead of the curve.
If your organization is concerned about governance, risk mitigation, regulatory compliance, human resources management and ethics, we can help simplify things for you. Call us at 973-520-6131. You can also get in touch on our website at www.riddlecompliance.com. We’re passionate about supporting our clients with respect, transparency, and unparalleled expertise.