The General Data Protection Regulation (GDPR) which takes effect on May 25, is a wide-ranging and complex piece of legislation – with very sharp teeth. Non-compliance could cost a business €20m or four per cent of global turnover, whichever is the greater.
An integral element of GDPR is a requirement for organisations to provide individuals with extensive information about the processing of their personal data.
GDPR requirements in a nutshell
- Details of your identity as the ‘data controller’
- What kind of personal data is being collected – such as names, addresses, card information, photographs and technical information including IP address
- The purpose and legal basis for processing
- How personal data is collected – for example whether it is provided by the data subject or collected through cookies
- Why personal data is collected – for instance processing card details for payment before shipping a product to a customer
- When personal data is shared
- When personal data is transferred outside of the European Economic Area (EEA) and what protections are in place to safeguard the personal data
- What choices individuals have in relation to data being shared
- How long personal data is kept – and if no time frame can be provided, how the retention period is to be calculated
- What rights individuals have – including the right to be deleted (see data subject rights below)
What you should know about GDPR: Data subject rights
Data subjects have the right to:
- access personal data held about them
- complain about processing (such as direct marketing)
- data portability
- object to processing undertaken by the data controller
- complain about automated decision making
- the updating of personal data
- to be deleted or ‘forgotten’
The implications of the legal basis for processing
The legal basis for processing can be the individual’s consent; that processing is part of the fulfilment of a contract; or for the legitimate interests of the business. The most suitable legal basis should always be selected for any given processing activity.
Where the legal basis for processing is legitimate interest, businesses must also explain precisely what this is in their privacy policies.
Why it is important to understand what consent means
What GDPR says about sharing personal data
Transferring personal data outside the EEA