Privacy and consent are two major areas that will be affected by the General Data Protection Regulation (GDPR), and will require an overhaul on the way many organisations obtain, collect and handle personal data. Dealing with these changes will involve much planning and the implementation of new systems if organisations do not wish to be caught short.
Organisations have until now been able to rely on implied consent, but a much higher standard of consent will be required under the GDPR. This will mean consent must be given by an unambiguous indication of the individual’s agreement to their personal data being processed such as written, electronic or oral statement.
GDPR presumes that consent is not freely given if there is “a clear imbalance between the data subject and the controller, in particular where the controller is a public authority.” And a controller cannot make consent a condition of service unless it can be demonstrated as a necessity for service delivery
Businesses that rely on consent as a legal basis for processing data will need to carefully review their existing practices to ensure that any consent obtained indicates affirmative agreement of opting in, such as ticking a box. Just acquiescence, such as not un-ticking a box, will not count as consent under the GDPR.
On top of this businesses must ensure that individuals can withdraw their consent at any time, and have systems in place to implement this. Withdrawing consent under GDPR has to be as easy as it was to give.
Another standard that is increasing under GDPR will be privacy, which will now enforce mandatory privacy both by design and by default, which will mean organisations will have to:
- Take data protection requirements into account for any new technology, product or service that involves processing people’s data
- Take into account the nature, scope, context and purposes of the processing as well as the risks to individuals when determining the means of processing and at the time of processing
- Conduct mandatory data protection impact assessments before carrying any processes that use new technologies that are likely to result in a high risk to data subjects
- Organise a systematic and extensive evaluation of personal aspects by automated processing on which decisions are based that produce legal effects concerning the data subject or significantly affect the data subject
Lastly, it is important for an organisation to recognise how important privacy and consent are too their customers. If these are felt to have been abused by an organisation then trust in that organisation and with it the organisation’s brand can be severely damaged. By implementing systems that better protect privacy and consent, it is probable that a lot more can be done with the data gathered that will benefit organisations.
Oliver Richards, Underwriter for Technology and Cyber Risks
Download our Risk and Confidence Survey at http://www.cnahardy.com/pulse