GDPR - Fair Processing Notices
We are all hearing a lot about the General Data Protection Regulation (GDPR) at the moment, and rightly so. The changes we need to make are sweeping and in my opinion these will have as big an impact on us as the journey to FCA authorisation did.
We’ve held a series of seminars on the subject and participants have been surprised at the level and complexity of some of the changes, for example the need for multiple fair processing notices depending upon they type of data you are processing or controlling.
Fair Processing notices need to be sent before or at the time of consent, where consent is the basis upon which you are processing the data. Where it is not you need to provide a Fair Processing Notice upon receipt of data or at the first point which is practical. The ICO has produced a helpful overview of the new rules in relation to consent:
The GDPR sets a high standard for consent.
Doing consent well should put individuals in control, build customer trust and engagement, and enhance your reputation.
Check your consent practices and your existing consents. Refresh consents if they don’t meet the GDPR standard.
Consent means offering individuals genuine choice and control.
Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.
Explicit consent requires a very clear and specific statement of consent.
Keep your consent requests separate from other terms and conditions.
Be specific and granular. Vague or blanket consent is not enough.
Be clear and concise.
Name any third parties who will rely on the consent.
Make it easy for people to withdraw consent and tell them how.
Keep evidence of consent – who, when, how, and what you told people.
Keep consent under review, and refresh it if anything changes.
Avoid making consent a precondition of a service.
Public authorities and employers will find using consent difficult.
Remember – you don’t always need consent. If consent is too difficult, look at whether another lawful basis is more appropriate
The exact content of your privacy notice depends upon several factors, one factor is whether you are relying on consent or not. If you are you need to include a list of third parties with whom you may share the customer’s data, as you can imagine this might be quite lengthy.
The content also depends on whether you obtained the data from the data subject directly or from a third party, in which case you are obliged to include details of the third party who has given you the information and whether the data is publically available.
Finally the content also depends on whether you undertake any automated decision making or profiling. Article 13, para 2(f) states you need to make the customer aware of the existence of any such automated decision-making or profiling including information about the logic involved and the significance of the envisaged consequences of such profiling for the data subject. This is of course subject to the new general rules around automated decision making or profiling and you need to inform the data subject of their rights.
We, at RB Compliance Consultancy, are busy creating an example notice to help you envisage what is required. If you would like a copy sign up to one of our GDPR seminars
Newcastle – 9 June 2017 – 9am until 3pm.
Leeds – 19 June 2017 - – 9am until 3pm.
Manchester – 30 June 2017 – 9am until 3pm.
For more information, or to book a place, please visit the events section of our website: www.rbcompliance.co.uk
or contact us with any queries on: