QUESTION & ANSWER
Want to ask the board a question? Head over to our Contact page and send us an email.
What is privacy by design?
Privacy by design is the idea of promoting privacy and data protection from the beginning, embedding it into your standard processes, rather than treating it as an afterthought. Under the GDPR, you are not required to take this approach; but doing so will help compliance hugely. Privacy by design means making sure that privacy and protection is a key consideration during the early stages of any project.
Privacy and data protection should be considered when building new IT systems for storing or accessing personal data; developing any legislation, policy or strategies that could have privacy implications; commencing any data-sharing initiative or using data for new purposes.
What is consent?
Under the GDPR, you as the data controller will have to be scrupulous in demonstrating valid consent for data usage. So you won’t be able to send a marketing email to a customer who hasn’t explicitly chosen to receive one, for example.
This consent must also be verifiable so you should keep a record of how and when this consent was given. Additionally, individuals have a right to withdraw consent at any time so you need to ensure that this is easy to execute. You also need to be able to show that the record is permanently deleted and not just removed from a single document or mailing list.
Another new angle to the idea of consent under the GDPR is that it must comprise a positive indication of agreement. This means you will no longer be able to assume consent from silence or offer a pre-ticked box. This might mean keeping a record via screengrabs or saved consent forms.
What is the right to be forgotten?
The right to be forgotten, or right to erasure, applies only in specific circumstances. These include:
- where the data is no longer necessary for the purpose for which it was originally collected and processed,
- if the individual withdraws consent,
- if the data has been unlawfully processed and it has to be deleted in order to meet a legal obligation.
If you’re processing children’s personal data you will need to pay specific attention to situations where a child might have given consent to processing but then later request that the data is erased (irrespective of their age at the time of the request). This is especially pertinent on social networking sites and forums.
Under the DPA, the right to erasure was limited to any data processing that causes “unwarranted and substantial damage or distress” but under the GDPR, this criterion is not present. Anyone can request to have their data erased.
When can I refuse to comply with a request for erasure?
You can, of course, refuse to comply with a request for erasure, but the authority to do so is restricted to certain circumstances:
- where the data is processed to exercise the right of freedom of expression and information (such as for investigative journalistic purposes),
- to comply with a legal obligation,
- for the performance of a public interest task or the exercise of an official authority,
- for public health purposes that are in the public interest,
- for archiving purposes that in the public interest,
- scientific, statistical or historical research or the exercise or defence of legal claims.
Do I have to tell other organisations if I’ve erased personal data?
If you have disclosed personal data to any third parties, you must tell them about any erasure of personal data, unless it is impossible to do or if it involves “disproportionate effort” to complete.