- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Data accuracy
- Storage limitation
- Integrity and confidentiality (security)
Any processing of personal data should be lawful and fair. It should be transparent to people that personal data concerning them is collected, used, consulted or otherwise processed and to what extent the personal data is or will be processed.
The principle of transparency requires that any information and communication relating to the processing of personal data be easily accessible and easy to understand, and that clear and plain language be used.
9. What Makes Processing Legal?
- Is necessary for performance of contract
- Is in compliance with legal obligation
- Is necessary to protect vital interests of the data subject
- Is in the public interest or exercising official authority
- Is with the consent of the person
- Is in the legitimate interests of the controller, or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the person
The definition of consent has been changed under GDPR. The data subject’s consent means:
- "Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed."
- "Silence, pre-ticked boxes or inactivity should not therefore constitute consent."
GDPR also makes it clear that consent should not be conditional upon sign-up to another service, i.e. bundled together.
Individuals must also be told they can withdraw consent and it must be simple to do.
Proof of Consent
Organizations processing data with consent must demonstrate they have obtained consent fairly and that the individual was given the necessary information to understand their choices.
In practice this means having some way of recording in the database the details of the consent gained, e.g. the type of consent, purposes of use that were stated, date gained, etc.
Most businesses will struggle to accommodate the detailed records which may be needed under GDPR on current systems, and significant development may well be needed.
Data controllers will have to decide whether they will record consent by channel (regarded as best practice, but not an absolute requirement of GDPR).
The date a consent was given should be recorded as well as the mechanism used to obtain consent (online clicks or positive agreement on the telephone for example).
Actual wording used at the time consent was obtained will also need to be provided if there is a challenge to the validity of the consent.
Under GDPR, profiling has been given a comprehensive definition, which is intended to include all forms of automated decision-making:
During the negotiations of the GDPR text, there was significant concern that all profiling (including that for marketing purposes) would be subject to the requirement for consent. In the final text, GDPR identifies two different types of profiling:
- Profiling with legal or similarly significant effects, i.e. profiling from which "decisions are based that produce legal effects concerning him or her or similarly significantly affects him or her."
- Other profiling without such effects (including most profiling for direct marketing purposes).
Profiling for Direct Marketing Purposes
Profiling for direct marketing purposes is less controlled and explicit consent is not required. But there is still a right to opt-out.
12. The Rights of People, i.e. Data Subjects
Right of Access: Subject Access Requests
Individuals have the right to have access all the personal data stored on them. The information needs to be supplied in writing, or in electronic form when the request has been made electronically (unless it is requested in writing).
The key changes in GDPR are:
- There will be no fee for the first copy of information in response to a subject access request. Data controllers may charge if the individual asks for a copy to be sent to another interested party, e.g. their solicitor.
- There is a deadline of one month. The timescale may be extended by two further months if it is a particularly complex request.
- The change to ‘no fee’ may well lead to a rise in the number of requests which controllers receive.
The information which needs to be included within an access response can be significant. Along with the purposes of the processing, and the categories of personal data that have been collected, the controller must also supply the following information:
- The recipients of the personal data, including those outside the EU
- How long the data will be stored
- The right to request rectification or erasure of personal data
- The right to object to processing
- The right to complain to the Supervisory Authority
- Knowledge of personal data still undergoing processing, along with its significance and consequences
Right to Rectification
If a data subject finds any inaccuracies in their personal data they can ask the organization to rectify it.
The Right to Erasure
The existing right to be forgotten has been extended into the right to erasure. This gives people the right to request their personal data be erased ‘without undue delay’.
The Right to Data Portability
Under GDPR there is a new right to data portability, designed to make it easier for individuals to switch accounts
Instead of looking at GDPR with dread as a costly headache, smart marketers will see it as a unique opportunity to have a complete top to bottom data review. Ensure you're GDPR compliant, but, at the same time, have a full data review and clean up. Reach out to your audience with a new "Preference Center," so that they can tell you exactly what they want to hear about, and how often.
I predict the arrival of GDPR will be the dawn of a new era of personalized marketing that will generate far more business than your current marketing communications could ever imagine.