Re-consenting under the General Data Protection Regulation
Introducing the GDPR subject, naturally, the question arises as to whether companies have to get consents of their entire databases. The Regulation sets a high standard for it, yet the immediate answer is “no.” What really matters is the mechanisms following which this consent is obtained, given, recorded, and managed.
Consent should be regarded as a separate from the preconditions of the Regulation issue. Freely given and withdrawn, it is a lawful basis for legitimizing, processing, and transferring data, as well as making automated decisions. Besides, individuals should be aware of their right to withdraw. Offering real choice, you can improve your chances of winning customers’ trust, and enhancing your reputation. When given this choice, they take control of how their personal data are used. In other words, to be easily understood and willingly accepted, a consent request should include the following:
- your company name
- third party name (the one with whom data might be shared relying on the consent)
- the reason for the request
- what you will do with the data
- the reminder of the possibility to withdraw
A consent request must be clearly worded. It will give customers a good reason for yielding to conditions rather than fighting them.
Benefits
In addition to setting the limits to the processing of personal data, and causing difficulties when complying with the legislation, GDPR compliance can result in huge operational benefits.
- Cost-saving
Mediums, hosts, and servers are generally used as digital information storages. Big companies may thus face challenges of continuous purchasing the lacking storage space. These expenses can, however, be reduced. The reason is that having data brought under the GDPR into one place, you will put everything in order, consolidate data libraries, and clear the space by deleting information that is not needed.
- Reputation
Absolute adherence to the Regulation is not as difficult to achieve as it may seem. Complying with the GDPR, you will become a more trustworthy and responsible data handler. Everyone whose personal data are recorded and stored will be able to rest assured that his or her privacy is protected. This acknowledgment is, in turn, likely to attract your target audience and cause further business development by guaranteeing safety and reliability.
- Analytics
The third benefit arising under GDPR compliance is the analytical knowledge. To organize sets of information in the best possible way, you should have the means to do so. Taking advantage of analytical benefits (e.g. targeting the key audience through singling out the distinctive key topics and themes), you need to know where all your data are located and make sure that consolidated into one set they are never duplicated. Thus, when you have the data separated into groups, the ways to improve analyzing performance suggest themselves.
- Wider benefits
The above benefits are not all you can derive from GDPR compliance. The high-quality management of information can increase communication efficiency. You will also be able to engage in such things as deep analysis and problem solving which allows companies to track employees’ work quality.
Risk-based GDPR compliance
Along with benefits, Europe’s new General Data Protection Regulation entails certain risks. In this regard, risks imply any likelihood of negative effects on data subject rights, and data controllers should always be able to predict the potential harm, evaluate its severity, and assess the probability of the event. What is more, the potential risk degree can vary.
- High risk. Activities involving such risks compel controllers to consult with data protection authorities and implement a thorough risk mitigation. Besides, a data breach must always be reported.
- Risk. Even though the risks are rather moderate, a security level appropriate to the risk severity and compliance with the Regulation must be ensured.
- Low risk. Acknowledging that the risks are minimal, a controller may be discharged from liability to report a data breach and to appoint a representative in the EU.
Significantly, the GDPR does not explain how organizations should assess the risk degree, but the requirements and obligations arising due to the high risks are stated clearly. Thus, controllers are bound to analyze regularly activities which may threaten rights and freedoms of individuals; monitor publicly accessible data paying greater attention to special categories of data. If this analysis shows that an activity can result in high risks, controllers have to appeal to the authorized body to mitigate the risks. Finally, after informing the relevant authorities, the controllers are to notify the individuals that their personal data are under threat. However, these notifications are not obligatory when the protection measures are already implemented by the controller, the risk is no longer high but remote, and if this notification can cause even more damage.
Though the severity of any harm is relative, there are some examples of high-risk activities provided by the GDPR. These include extensive automated profiling, large-scale processing of certain data, and large-scale monitoring of generally available data. Nevertheless, this is not the list of potentially damaging activities, a risk is not yet clearly defined, and every controller can rely upon the guidance of the authorized bodies on this matter.
Cases
Each technology vendor will have to get adapted to the new regulations. Although there is no universal solution, and every case will be unique; let us give you some examples of how compliance may look like.
- Microsoft
Yet in 2017, Microsoft published a white paper commenting on their interpretation of the GDPR. It is not advice to be followed by other organizations but an explanation of how Microsoft as a multinational company means to apply the Regulation. Inserting a number of graphs into the document, Microsoft has taken care that individuals understand how to comply with the GDPR, what data are regarded personal, how they are created, processed and managed.
The Right to be Forgotten is one of the key aspects to consider in Google case. Article 17 explains under what circumstances a data subject can request erasure of his or her personal data, but it gives no explanations of how it should be done. In the case with Google’s search engine, personal data are freely available in the public domain, and even old and outdated information can still be found there which increases risks for an individual to experience the negative impact later in his or her life. Under the GDPR, two options for the data subjects arise. People can request the erasure of specific search results from Google, or the removal of the information so that it could no longer be seen by the people who both have a direct access and those from the public domain.
To help its users in making an informed choice about their privacy, Facebook will soon introduce a set of special tools. The EU regulation aims at providing the Europeans with more control over their information, and Facebook is ready to endorse this initiative. An objective of the so-called “privacy center” will be to inform people by such means as educational videos, which will appear in the news feed, and through customer support.
Knowing the weak points
Among other things, the third party’s integrity is an important structural element of the system created on the basis of the EU regulation. Usually, it is a third party that gives hackers a weak link. Thus, even if you as a data controller (e.g., an app publisher) have met all the requirements, users' data privacy is not yet granted. SDKs implemented in your app can try to access the information protected under the GDPR. Knowing this, developers and data controllers still can learn to deal with such third parties as SDKs.
Stating a third party name in a consent request, a data controller remains the main responsible party whose duty is to mitigate all the risks. These are steps to minimize exposure to them:
1. Study your data locations.
2. Make sure your personal data are well-protected.
3. Decide on whether you need a Data Protection Officer.
4. Track the activity of the third parties to have them GDPR compliant.
5. Monitor the path of the personal data.
6. Check for adequate security measures taken by the SDKs.
7. Use automated tools monitoring the data processors’ impact on your app.
When it comes to GDPR compliance, the issue should be put in broad perspective, since it entails both benefits and risks requiring the particular attention of data controllers. In general, the GDPR is very likely to upset the balance between privacy and utility. To restore this balance, each data holder should consider clarifying the EU regulations. The requirements are contextual here, and their interpretation depends on the organization complying with them. Thus, any vendor can take advantage of the situation and introduce new boundaries, make the most of it keeping in mind that the core concept is impossible to change and the Regulation is not to be ignored.
© 2018, Vilmate LLC