The GDPR Roadshow: Unearthing the Three Universal Areas of Concern

The General Data Protection Regulation (GDPR) has been the hot topic of concern across industries for the past year. With less than a year to go until the regulation comes into effect, the rhetoric has not always been constructive, with the focus often wavering towards the doom and gloom: primarily the large fines for poor compliance.

Adopting a more pro-active approach, Amido recently paired up with its partner Janrain to host a GDPR roadshow across three European cities.

Through combining a seminar setup with roundtable discussions and a hands-on workshop, Steve Jones, Senior Consultant at Amido, and Martijn Loderus, Senior Director at Janrain, showed attendees how understanding Identity Management could help them on their journey to GDPR compliance.

Leaders from a broad spectrum of industries including pharmaceutical enterprises and mobile network operators, to global banks and homeware retailers, were brought together in London, Paris and Amsterdam to discuss GDPR and what it meant to them.

It was revealed that, despite the diversity of industries represented during the roadshow, these three areas of compliance were of concern:

1. Legitimate Processing and Consents

What is it?

Under the Data Protection Act (DPA), the person simply gives blanket consent to an organisation to process his/her personal data. This limits the individual to just one opt-in/out option in terms of holding and using this data. However, under GDPR, the individual will give specific consent to the processing of personal data as there is a choice with what the individual consents to share, and with whom, rather than there being an all-inclusive agreement.

Why are people concerned?

Under GDPR, data processing is based on consent and so companies will have to demonstrate that the individual agreed to the processing of his/her personal data. As a result, the new regulation could mean that any personal data that has been collected under DPA might not be legitimately held under GDPR.

Organisations that cannot rely on existing consents will need to implement a process to obtain new consents that meet GDPR requirements, before May 2018. In addition, they will need to be sure they have systems or processors in place that can support the easy withdrawal of consent if an individual chooses to do so.

2. Notices

What is it?

The new regulation places far more weight behind making privacy notices understandable and accessible than currently addressed under the DPA. Not only must more information be included, but the information provided to people about how their data will be processed must be concise, transparent, accessible and written in clear, plain language, particularly if addressed to a child.

Why are people concerned?

With notices having to be more concise whilst also containing more information, organisations are faced with a paradox as privacy notices must be both shorter and longer.

Children’s data underpins a lot of the concerns around privacy notices. If an organisation processes children’s data they may need to seek the advice of local legal authorities in each EU member state from where the data would be collected, due to the different treatments and requirements of said states.

3. Data Subject Rights and Procedures

What is it?

GDPR will be introducing a number of new rights as well as extending several existing ones, which individuals can exercise against controllers. Rights around portability (which is how data is transported from one place to another), restrictions and compliance with individual requests will be promoted, underpinning the regulations focus on transparency and accountability.

Why are people concerned?

The focus on individual rights puts individuals and their rights at the heart of the GDPR. As a result, organisations/controllers of personal data will need to establish mechanisms before May 2018 so they can be in a position to demonstrate compliance when individuals seek to exercise these rights. These mechanisms will need to extend out to the data processors used by the controller, as the controller remains responsible for ensuring compliance across third party service providers as well.

These rights have the potential to limit the ability of organisations to lawfully process individuals’ personal data which, in some cases, may have a significant impact upon an organisation’s business model.

Leave a Reply

Your email address will not be published. Required fields are marked *