The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data.
The General Data Protection Regulations (GDPR) comes into force on the 25th May 2018.
There’s no better time than right now to perform a ‘privacy health check’ and ensure that your practices around the use of databases and your business processes will be compliant.
If you’re thinking that the GDPR is an EU law which will carry no weight post-Brexit, you are wrong! The UK government have already confirmed that even when the UK has left the EU, it will maintain data protection laws that are ‘broadly similar’ to those of the EU.
Companies need to be fully aware of the rights of individuals to be protected, and understand the legal basis for the processing of personal data. Essentially, there are half a dozen lawful grounds upon which personal data may be processed.
Data Processing: The 6 lawful grounds
Article 6.1 of the GDPR confirms that data processing shall be lawful “only if and to the extent that at least one of the following applies”:
1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
3. Processing is necessary for compliance with a legal obligation to which the controller is subject.
4. Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
6. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
As ever with a legislation of this type, there is ambiguity in the text. If data controllers are empowered to process data for the purposes of ‘legitimate interests’ (for example), what constitutes such an interest? Also, if it is necessary to obtain the individual’s ‘consent’, what constitutes consent?
The DPN (Data Protection Network) has published an excellent ‘practical guide for businesses’ that can help you navigate through the technical jargon and articulate the meaning of ‘legitimate interest’ as it applies to you. The guide can help you to determine what steps (if any) you might need to take in order to ensure compliance and protect the interests of those whose data sits within your CRM or ERP system.
The DPN explains the differences between current data protection law, described as “before GDPR” and “changes under GDPR”. It also discusses interpretations of ‘consent’ in a language that makes the subject accessible and interesting.
Your 10-point Checklist
The DPN’s guide takes you through all aspects of GDPR and finishes with a handy 10-point checklist for businesses.
Begin preparations NOW – don’t wait for GDPR to come into force.
Make sure privacy notices meet the “transparency” challenge.
Assess the impact ‘opt-in’ would have on the database.
Test and optimise data collection statements.
Consider using legitimate interests for some processing.
Make sure the database can store proof of consent and multiple permissions.
Review contracts with processors.
Check whether the type(s) of profiling your organisation conducts will need explicit consent.
Prepare to fulfil the new rights of natural persons.
Undertake a formal GDPR Impact Assessment.
Click here to download the DPN’s practical guide. You might also like to Join the DPN. Membership is free and provides you with access to a broad range of articles, white papers opinions and collateral to help you ensure compliance.
GDPR
SugarCRM
crm
Data