Decoding GDPR: Your Questions Answered

How do you obtain valid consent under GDPR? What level of data security is ‘secure’? How long should you keep hold of personal data? In this post, we answer some of your most frequently asked GDPR questions.

What’s the difference between a data controller and a data processor, and how does this affect compliance?

There’s a hierarchy of responsibility when it comes to data processing within an organisation. The data controller is at the top of that hierarchy. They are the one responsible for deciding what data the organisation collects and how that data is used. They might, for example, decide whether data is processed in house or via a third party.

The data controller bears the primary responsibility for GDPR compliance.

A data processor sits a tier below the data controller, processing data in accordance with the controller’s instructions. They are also subject to GDPR regulations, but their role is more about ensuring the in-house rules are followed rather than setting those rules.

By enlisting the help of expert third party GDPR services, you can ensure your controller and processor roles are well defined, and that the rules they set/operate by are compliant.

How do you obtain valid consent for processing personal data under GDPR?

Consent is at the heart of GDPR. Both the EU GDPR and its UK equivalent prohibit the processing of personal data unless it is allowed by law or the data subject consents.

For consent to be valid, it must be “freely given, specific, informed, and unambiguous”.

Freely given” means that the consent must not be unnecessarily conditional upon or tied up with some other event.

Specific and informed” means the data subject must know the identity of the data controller and any third-party controllers. They must also know what processing activities will be carried out and for what purpose, and the data subject should have the option to withdraw their consent at any time (and withdrawal should be a simple process).

Unambiguous” means that consent cannot be valid when the language used to obtain it is vague, unclear or not transparent.

This does create something of a minefield for organisations. You might, for example, feel your request for consent is entirely unambiguous, yet EU data authorities might take a different view.

Expert GDPR services can help ensure your consent requirements are compliant.

What level of data security should we adopt to comply with GDPR – and what steps should we implement?

The regulation isn’t entirely helpful here, relying on the rather ambiguous phrase “appropriate technical and organisational measures” to define the extent of an organisation’s data security actions.

Effectively, however, this is about ensuring actions are appropriate to the level of risk. An organisation which collects only small amounts of ‘low level’ personal data won’t need to go to the same levels of pseudonymisation, encryption and regular security assessments as an organisation which does collect large amounts of sensitive personal data.

The challenge for most organisations, inevitably, is in ensuring that their assessment of risk matches any objective assessment. Again, enlisting the help of an EU GDPR consultant can help.

How does GDPR affect international data transfers?

One core principle of GDPR is that there should be a continuity of protection no matter how far outside the EU or UK its residents’ data travels. To achieve this, organisations must ensure that any country to which they transfer the personal data of EU/UK residents has passed the  data adequacy test (i.e. its data provisions are largely equivalent to the UK/EU’s). Data adequacy provisions are in place for a number of countries and territories, including New Zealand, Argentina and Switzerland. The UK and EU also have data adequacy between them,

For countries where there is no adequacy provision in place, the organisation must carefully assess the adequacy of data protection in the recipient country before transferring any data. They may use a Standard Contractual Clause or other appropriate safeguards to do this.

Even for those organisations putting additional safeguards in place, there can be uncertainty as to whether their actions are sufficient. This was the issue at the core of Meta’s record fine in transferring the data of EU citizens to the US, a place where there is as yet no data adequacy arrangement (although that may change soon).

It’s vital, therefore, to enlist expert GDPR consultancy to support data transfer compliance.

How long should we retain personal data?

The GDPR is clear about this: you should only retain data for as long as it is necessary for the purposes for which it was collected. The latter part of this sentence is crucial, preventing organisations from holding on to data ‘just in case’.

What policy should we operate to comply with GDPR?

A deletion policy goes hand in hand with a retention policy. First, determine the data you can legitimately keep (e.g. because you still need it for the purposes you collected it) and for how long.

Then develop a policy for data that no longer needs to be retained. Most of the time this will mean deletion, but you may alternatively need to anonymise it or, in the case of a physical record, destroy it.

It’s important that you establish clear policies and follow them. Enlisting the support of GDPR services can help you with this.

How does GDPR regulate profiling and automated decision making?

AI and machine learning is increasing the number of automated decision-making processes to which individuals’ data will be subjected. GDPR gives individuals the right to opt out of such processes and request human intervention where automated decision-making processes have legal or similarly significant effects on individuals.

The importance of GDPR consultancy

As with so much legislation, the devil is in the interpretation. As case law is already demonstrating, organisations that believe they have complied with GDPR are finding that isn’t the case when they reach court.

Compliance often presents grey areas and it is in these areas that our UK and EU GDPR consultants can help mitigate risk and help organisations get beyond hoping that their actions are compliant to reach a point where they know they are.

Explore how our GDPR services can support you now, get data protection advice or, for questions about your next steps, call +44 1772 217800.