i-c-whyGDPR & Privacy Policy
General Data Protection Regulation (GDPR)
From 25 May 2018 GDPR updates the current Data Protection Act of 1998 and applies to all organisations that hold personally identifiable information. GDPR requires all to perform a Privacy Impact Assessment (PIA).
In simple terms, A PIA is designed to help all organisations identify where they hold personal information, why they hold it, how it is stored and what they do with it.
For many small organisations, clubs and societies, this is not designed to be onerous but to allow them to focus on what they do hold and why. It is also designed to allow individuals to have more control over their personal data held by organisations.
An organisation can act in two roles that can involve personal data, as the Controller and as the Processor. The definition being, the Controller 'owns' the data and makes all the decisions as to where and how it is used. The Processor can be asked to perform an action on the data but at no point 'owns' the data. An example: A small club holds emails against its members. The club is the Controller. Periodically, they send emails to their members to inform them of club events and they use a cloud based email system to send these emails. The cloud system is the processor. Both have a responsibility towards the data but it is the Controller that has the agreements with, in this case, the club members.
What is Personally Identifiable Information?
This is any information that allows a person to be uniquely identified. A name on its own is not enough, a name and address or a name and telephone number is. If your organisation holds this information, whether in paper or digital format, you need to know and log it. If this information is published, shared, marketed or sold, then this needs to be identified as consent to continue these activities may be required.
What is Sensitive Information?
Sensitive data can include, bank details, security information, medical or financial information. If these are held, not only must these me logged, they must be securely logged. If this information was not directly obtained from the client, consent to continue to hold this information may well be required.
Why is Consent Required?
Giving consent is an active process. The presumption is that consent is not given. Consent is not a default and you cannot bribe for consent or deny services due to consent being withheld. You have to log when and how consent is given and equally you have to log when it is denied. A consent 'tick box' has to be unticked initially and actively ticked if consent is given. Consent is not all encompassing. If you have many instances where personal data is used, each use has to have a consent option. It cannot be 'all or nothing'. The caveat on this is of course, if you become a member of a club, they must have some information from you. To exist as a club, they do not need your consent to hold the minimum of data required. However, you may deny them the ability to share your membership details to another club, or sell them to an organisation that will market associated services to you. The other caveat relates to any legal obligation placed on the Controller or Processor of your data. Finally, there also exists a protection of the operation of a legitimate business. GDPR is not a tool for shutting down legitimate businesses and if your business involves personal data, it may continue without your active consent. However, if consent is then denied, that business has to record your denial and ensure your data is no longer used. It will still be recorded as they need to log your denial and use this to constantly extract your details from their data. Very similar to the current use of the Mail Preference Service (MPS) and Telephone Preference Service (TPS).
What comes from GDPR?
From a documentation view, there are two main documents that can appear; the Privacy Policy and the Data Protection Policy.
The Privacy Policy is designed to detail how personal data is recorded/obtained and used. It also needs to provide a method by which an objection or request can be raised.
The Data Protection Policy identifies the best practices involved in making sure your data is safe and secure.
New member/client forms have to be updated to link to the above documents and also look to obtain consent if it is required.
Organisations now have to be very transparent about any personal data they hold and individuals may request to see that data and also deny consent for their data to be used.
GDPR and i-c-why consulting ltd