Demystifying GDPR. Dealing with the right to be informed.
Demystifying GDPR. Dealing with the Right to be Informed.
Under GDPR everybody has the right to be informed about how you collect and use any personal data that you’ve collected from them.
Under GDPR, you (your business) must provide individuals with information related to the following
- Why you are processing this data? Your purposes for the processing their personal data.
- How long you will retain the personal data you’ve collected.
- And if third parties are involved, who will this personal data will be shared with.
IMPORTANT NOTE ON THIS CONTENT
This information is a guide based on the principles of the GDPR and guidance from the ICO. This information should not be considered as legal advice. For more detail related to the specifics of the right to be informed, please refer to the ICO guidance or please refer to Article 13 or Article 14 of the GDPR.
So how do you inform people of their rights?
You must provide practice privacy information to individuals at the time that you collect their personal data.
That's why people are asked to 'agree to a privacy notice' as part of a signup process - the beginning of any personal data processing.
What about offline data collection?
On occasion that might not be possible to provide this information at that point in time.
For example if someone provides you with their business card or you collect signups at an off-line event. In these cases it might be reasonable to send them a link to your privacy notice after you’ve already processed their data.
What about data collected from other sources?
If you’ve collected personal data from other sources you must provide this privacy information to those people within one month of processing their information.
What about changes to our Privacy information?
It’s important as things change that you keep people involved with any changes to the rules around the processing you conduct of personal data. And it’s important that you bring any new uses of processing to the attention of those involved before you begin that process.
Keeping your audience involved and updated about why and how their personal data is used with your organisation is really important to keep you compliant.
But it also makes sense to keep those people involved with your business updated. This also help to build a culture of transparency and trust, which with Privacy becoming a highly rated brand value is to be encouraged.
What do I need to include within my Privacy information.
Here’s what you need to provide people within your privacy information. This list provides a guide, it does not mean you need to include all of this information if it's not relevant to your business.
- The name and contact details of your business
- The name and contact details of any relevant representatives (if that’s applicable).
- The name and contact details of your data protection officer (if you have one).
- Why are you processing this information including the lawful basis of consent being used.
- What rights people have related to the personal data that you’re processing.
- How long you store this information.
- How you can withdraw consent from the processing.
- How are you can lodge a complaint about this processing.
- If you are receiving this data from a third-party where the data comes from.
- Details of any automated decision-making or profiling that you may be conducting with this data.
Other things you need to consider
Yes there is more.
If you need to share personal data with other parties
If you share personal data or sell it to other organisations, you need to do this under a legal basis of consent. You must tell those people involved, and tell them with whom you have shared or sold their information. And wherever possible it’s a good practice to help people manage who their data is shorts or two or shared with where they have a choice in the matter.
For example, if you are running an exhibition rather than share full details with every exhibitor, offer the individuals that sign up for the event the ability to decide with whom they wish to share their personal data with.
If you have bought personal data
If you buy personal data from third parties then wherever possible you must provide those people with your own privacy information.
For example, if I am a hotel and I receive bookings from booking.com.
I am affectively buying that information from a third party. However, the individual involved would not consider that to be the case, the are simply making a booking and would expect the hotel to process that booking.
Therefore, it could be considered reasonable not to push the privacy information of the hotel prior to their arrival. The individual involved will have already agreed to the terms of booking within Booking.com, therefore the sharing of the booking information to the relevant hotel will have already been agreed by the individual involved.
After all without this information the booking cannot take place.
What about the processing of "Publicly" available data
This is a commonly asked question. If you get personal data from publicly accessible sources the same rules apply. You still need to provide people with your privacy information.
If you think it’s impossible to do that then you must carry out a data protection impact assessment to prove or to mitigate risks involved with the processing of such data.
This might sound ridiculous however if publicly accessible personal data is combined with other information from different sources this could become very intrusive. So it’s important to provide these people with privacy information wherever possible.
That protects their rights and interests, but also help protects your organisation from potential fines.
What about AI projects
Everyone seems to be doing something with Machine Learning or AI at the moment.
However, if you are applying artificial intelligence to personal data as with all types of personal data processing, the ICO advises that you should be upfront about it.
If the purposes of the AI aren’t clear at the beginning of your AI project - which is often the case - if the processing involves personal data you need to provide those people involved with an indication of what you’re going to do or what you’re trying to achieve.
As things become clearer make sure you update your privacy information and actively communicate this to those involved.
As with other new uses of personal data, should complete a data protection impact assessment and you need to inform people before you actually start the processing.
How GDPRworkflow can help
GDRPworkflow provides a multi-user SaaS platform that is pre-configured around the ICO guidance for GDPR. Giving you a supported and easy to follow process to configure the framework of GDPR for your business. It's GDPR made easy.
Book a free 30 minute consultation and we'll be delighted to tell you more.