Your browser is no longer supported

For the best possible experience using our website we recommend you upgrade to a newer version or another browser.

Your browser appears to have cookies disabled. For the best experience of this website, please enable cookies in your browser

We'll assume we have your consent to use cookies, for example so you won't need to log in each time you visit our site.
Learn more

Data: Consent, privacy and the right to be forgotten

  • 1 Comment

Right now, you’ll be hearing from a variety of sources about the many things that you need to do to prepare for GDPR.

Neil adams

Neil adams

Neil Adams

In fact, so much so that it can be difficult to know where to start. Based on our experience of preparing for compliance with GDPR, we’ve identified the five areas that we recommend you prioritise first.

First and foremost, organisations need to deal with the issue of consent that needs to be provided by customers, employees, citizens, donors to charities and so on. The regulation stipulates that all these people must give their explicit and informed consent for their data to be processed. ‘Informed consent’ means the individual must be made aware of how their information is protected, what it’s used for, and what the risks are.

It’s a very pressing issue because this doesn’t just apply to current or future data. Organisations are going to have to audit all their legacy data to find out where it all is, identify where consent was granted correctly, and then delete records where it wasn’t or where new consent can’t be obtained. This is a huge data cleansing and consolidation task.

There are many aspects in the detail of the GDPR that make the matter more complicated. For example, GDPR states that consent has to be specific, informed, unambiguous and freely given. Among other things, ‘freely given’ means that individuals cannot be chased or unduly pressed for their consent. Much rigour needs to be applied to this process because records also need to be kept to evidence that consents have been properly secured.

Many organisations, including local authorities, will also need to consider the position of minors. Children under the age of 16 cannot give consent. It has to be given on their behalf by someone with parental authority. If organisations do hold data on minors they will have to make reasonable enquiries to check the validity of the person giving the consent for the child.

There are also many issues with what is categorised as ‘sensitive personal data’, which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union membership. It also covers the processing of genetic data, biometric data, health data and data relating to sex life or sexual orientation. Organisations need explicit and specific consent for the exact purpose or purposes for which any of this sensitive personal data will be used.

Overall, with all these elements to consider, it’s clear that the issue of consent is the most labour intensive element of GDPR. As such, it should be your starting point. The good news is that if you go through the process correctly, most of the additional actions you need to take to comply with GDPR – as outlined below – should follow more naturally.

Defining your privacy policy

GDPR also makes organisations responsible for giving people clear and adequate information about how their information will be protected. In other words, you need a carefully laid out privacy policy.

This is also a very important area to tackle early. This is mainly because it’s one of the most obvious areas for which the Information Commissioner’s Office will be able to hold you accountable. When investigations do happen, organisations will also need audit trails to prove they have fully upheld the policy in the case of each data subject.

Another issue that organisations need to recognise is that the systems they use to protect personal information are likely to be designed and controlled by their service providers. This means they also need to be careful about making any policy commitments until they’re sure that their service provider has the systems and processes to deliver them.

Upholding the right to be forgotten

Another significant element of GDPR is that people have more power to withdraw their consent and get their data amended or deleted. In other words, they have the ‘right to be forgotten’. As mentioned above, if organisations have cleansed and consolidated their data in order to manage consent better, this task will be easier.

There is a complication, however, because organisations will need to check that the IT systems they use will actually allow this to happen. At Eduserv, we’ve found through our own GDPR compliance activity that some leading solutions don’t currently allow for an individual record to be located and amended or deleted. With this in mind, organisations will need to make sure their IT systems will support GDPR. This could help avoid having to make distress purchases when it gets closer to May 2018. They should also start to put pressure on their existing solution providers to supply GDPR compliant solutions by including a ‘right to be forgotten’ facility in future upgrades.

Meeting subject access requests

Another key part of GDPR is the right it gives individuals to make a subject access request at any time and get a response within 72 hours. Again, this task will be made considerably easier if you have gone through a process of cleansing, deleting and consolidating data. You’ll also need to make data management processes more efficient and ideally automate the subject access request response process as far as possible. If you don’t get this right, there is risk of considerable financial penalty. If not handled efficiently access requests could also prove to be very time consuming and a drain on your overall productivity.

Legitimate data processing and the pseudonymisation and anonymisation of data

When organisations are going through their data cleansing process, they will find that some of those records can’t be deleted even if the subject has asked to be forgotten. This might be for reasons of financial regulatory compliance, or for a number of other reasons where organisations can show they have legitimate reason for retaining and processing the data.

This is another very important area, firstly because organisations will need to be very clear on what those legitimate reasons are and may need specialist help defining and confirming them. Secondly, GDPR recommends that organisations will need to pseudonymise or anonymise the data they can’t legitimately delete to be compliant. These are time consuming processes, and organisations may need specialist systems to carry them out. As with all the elements of GDPR compliance we’ve listed above, this means the time to start planning is now.

Neil Adams, compliance officer, Eduserv

  • 1 Comment

Readers' comments (1)

Have your say

You must sign in to make a comment

Please remember that the submission of any material is governed by our Terms and Conditions and by submitting material you confirm your agreement to these Terms and Conditions.

Links may be included in your comments but HTML is not permitted.