The General Data Protection Regulation (GDPR) signifies one of the biggest changes to privacy laws to take effect across the European Union in more than 20 years. With less than six months to go until the Regulation comes into force on 25 May 2018, businesses are raising questions about how they can ensure compliance.
Approved by the EU Parliament on 14 April 2016, the regulation brings the law up-to-speed with the new and current ways data is being used both on and offline. In the UK, the GDPR replaces the Data Protection Act 1998 (DPA), which was enacted following the EU Data Protection Directive 1995. Amongst the changes that will come into force, companies will face heavier fines for non-compliance and data breaches, while Data Controllers within businesses must prove accountability on an individual and organisational level.
At the core of the legislative changes is the concept of consent. The GDPR gives people more say over what companies can do with their data, including who they can share it with and how their data is processed. The concept of consent is not new, but the level of consent that must be obtained is. The GDPR sets a higher standard than that required under the DPA; companies must ask for positive consent by using an unambiguous statement that requires users to take an affirmative action to ‘opt-in’. The new definition of consent collates existing European guidance and good practice.
Put in practical terms, businesses must review consent mechanisms to ensure compliance with the GDPR by May 2018. Broken down, the requirements are:
- Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service.
- Active opt-in: pre-ticked opt-in boxes are invalid. Use unticked opt-in boxes or similar active opt-in methods.
- Granular: give granular options for consent wherever possible and appropriate. This means seeking different levels of consent if data can or will be used in different ways or by different parties.
- Named: name your organisation and any third-parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR.
- Documented: keep records to demonstrate what the individual has consented to, including what they were told, and when and how they consented. Greater emphasis is placed on the documentation that Data Controllers must keep to demonstrate their accountability.
- Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
The GDPR changes that come into effect in May 2018 reflect a more dynamic idea of consent and not simply a one-off compliance box to tick and file away. Businesses must proactively manage how they approach consent, and have business procedures in place to continually review how they store, use and share data.
If you have concerns about ensuring organisational compliance ahead of the GDPR’s in-force date, talk to one of our experienced legal representatives at QualitySolicitors. We combine a high level of legal expertise with business know-how to future-proof your success.