Obtaining consent with GDPR
GDPR or General Data Protection Regulation if you want to use its full name is a new set of rules governing all EU countries. GDPR comes into full effect on Friday the 25th May and is designed to give a higher level of protection for consumers.
The protection of personal data is a real concern with consumers, as many as 76% of respondents to a survey ran by RSA said that losing data was of a concern to them, 62% of these said they would blame the company as opposed to blaming the hacker for the breach.
This concern has led to an increase in users falsifying account information when signing up for products or services, this dirtying of databases decreases its value disproportionately.
What is personal data?
Before we start we need to understand the definition of personal data, this has purposefully been left open to reflect the fast-changing face of technology, and the means in the way information is collected. If we were to boil this down any information that can be used to identify someone is classed as personal data, including but is not limited to location data, pseudonyms, name, age, ID numbers, sensitive personal data includes; genetic, biometric or data that can uniquely identify an individual.
Who does this apply to?
The new laws coming in aren’t just for big business either, they are for anyone who processes or stores personal data, GDPR breaks this process down into two areas;
“A processor is responsible for the processing of data on behalf of the controller.” We can break this down, so it is easier to understand;
Do you capture data on living persons?
Do you store data on living persons?
If you answer yes to either of these questions you are a data processor, and you have a set legal obligation for the processing and storage of this data, and you are legally liable for any breaches.
“A controller is someone who determines and purpose and means of processing personal data”. We can break this down, so it is easier to understand;
- Do you keep or process any information about living people?
- Do you decide what type of personal information is requested?
- Do you decide how this data is used?
If you answer yes to either of these questions then you are a data controller, and you have a set of your legal obligations, as well ensuring your data processors are complying with GDPR guidelines.
It is possible to be both a data controller and a data processor, in this scenario you all legal obligations lie with yourself.
You are an educational institution, and you are responsible for the day to day development of your website. You collect data on users who download your prospectus.
In this scenario, you are both the data controller and the data processor
You are a local authority, and you employ a design agency to build and maintain your website, you tell the agency which information you want to collect and where to send it.
In this scenario, you are the data controller and the agency is the data processor, you still have a legal obligation to make sure the agency is confirming to GDPR guidelines.
There are six legal bases for the processing of data; consent, contract, legal obligation, vital interest, public task and legitimate interest all of which have equal weighting, which you choose depends on the context of the processing. At least one must apply when collecting personal data. For today we shall cover the subject of consent.
The individual must give explicit consent for you to use their data, this consent has to be granular and must list out explicitly what they are consenting to. You can not request consent for one reason and then use that consent for another reason without requesting additional informed consent from the individual.
ABC-Gifts.com may request an email address from a user at the point of purchase; the user consents that their email is used to send tracking updates to them.
In this scenario, the email address can only be used to send the customer tracking updates, in the future if ABC-Gifts wanted to send marketing material they must request additional consent from the user.
If the user did consent to additional marketing communications, these communications could only be from the named organisation(s) that were present at the original consent giving stage, if you wanted to pass this user data onto a 3rd party the user would again have to give consent.
- The name of your organisation;
- The name of any third party controllers who rely on consent;
- Why you want the data; and
- What you do with it;
Consent must be explicit, clear and easy to understand, and confirmation must be in words. Users must actively opt-in to consent, so no pre-filled text boxes and vague statements. When consent is a pre-condition of service, this may not be the correct legal basis for data processing.
Once gained, it must well signposted and easy for users to be able to remove or change their level of consent if a person withdraws their consent you cannot then change the legal basis for processing of data. For example, you can not change the reason for data processing from consent to contract as this infers that there was a choice at the original point of giving consent.
Recording and managing consent
Referred to as the principle of accountability. It covers the policies and processes with which you gained consent (as well as the other 5 legal bases) you must keep up to date records of when and how you obtained consent, the legal basis of which you gained consent and any changes to the consent along with evidence of acceptance to changes in consent.
Fines — determination and amount
Fines fall into the following categories:
- Nature of infringement
- Preventative measures
- Data type
- Other aggravating or mitigating factors
With only the gravest infringement being used to determine the fine for the non-compliant firm, this does not make things any less severe.
The lower level fine is up to €10 Million (£8,750,000) or 2% of worldwide revenue.
The upper-level fine is up to €20 Million (£17,500,000) or 4% of worldwide revenue.