In case you hadn’t noticed, Sonnet has been a little wrapped up in the GDPR for the last few weeks (you can receive our e-books here).
We’ve specifically been considering the implications the GDPR will have on the B2B community and what we will need to do to be able to keep communicating with each other.
Part of our white paper looks at the differences from the DPA of 1998 to the GDPR of 2018. To give you a quick overview we’ve listed three major changes that will be happening.
Data Protection Officers are independent regulators enrolled within businesses/organisations to ensure compliance at all times. Not all organisations will necessitate a DPO, but those currently required under the GDPR are:
- Public Bodies
- ‘Big Data’ companies
- Processors of sensitive data
DPOs may be a current employee of the business, but you will need to ensure that you put in place additional measures to ensure employment protections, no conflict in job role and that they will be able to work with complete independence.
If you are looking to introduce a DPO, they will not need specific credentials but will require in-depth knowledge of the GDPR. But, while they may not need specific qualifications now, they may do in the future.
2. Accountability – demonstrating compliance
We have spoken about this before (see our previous blog for more details), the GDPR asks for organisations to take their day-to-day processing of data more seriously (more of a proactive rather than reactive approach).
The new accountability principle requires you to demonstrate that you are complying with the GDPR, it also explains that you are explicitly responsible for compliance.
The accountability principle requires that you:
- Implement appropriate technical and organisational measures that demonstrate that you comply.
- Maintain documentation of data processing (where relevant)
- Appoint a DPO when necessary
- Use data protection impact assessment where necessary
The introduction of the accountability principle asks businesses to create a more structured process for data processing; the ICO encourage a company-wide policy to the GDPR that covers the accountability principle.
3. Consent requirements
Capturing consent is one of the biggest changes with the GDPR, it requires organisations to ensure the data subject freely gives that consent through affirmative action. The definition has been modified from the Data Protection Directive Definition, previously it stated:
“any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
and under the new GDPR it clarifies:
“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
The GDPR explicitly states there are to be no more pre-ticked boxes and that organisations must name any third-party organisations that will rely on this consent.
It also tightens an organisations requirement to demonstrate consent processes.
Regarding record keeping, when receiving consent, you should keep a copy of:
- Who the consent refers to
- When you received their consent
- How you received their consent
- What they were told at the time they gave consent
- How they can opt-out
The GDPR is an opportunity for businesses to revisit their data processing activities and these three major changes will take time to implement, if you haven’t begun strategising for May 25th, our latest white paper may help start to kick things off.
Database Management by Sonnet: Find out more