GDPR for Dummies — Vol. 2
GDPR. Christmas comes early this year as we have taken upon us to read 88 pages of EU-produced lawyer nonsense and provide you with all the basic information you need to be prepared for when the General Data Protection Regulation enforces. During the coming weeks, we will present to you an advent calendar of GDPR-articles, with this being the second. You can read Step #1 right here.
Step #2 — Manage consent (The second of four steps to becoming GDPR compliant)
If you followed the guidelines on GDPR from last week, you now have an overview of the data you process. You know what data you collect, what you are using it for and who you are sharing it with. You may have realised that you only handle very little data to pay your employees — good for you. Maybe you collect emails to send out newsletters and special offers — still manageable. Or, you may run a surveillance program from the NSA — in that case, we highly recommend you to look for guidance elsewhere.
Either way, getting your data organized is an important first step, since you have to be able to prove your GDPR compliance. If your data processing is honest and well-intentioned the GDPR will probably not cause you too much headache, but it is alfa and omega to have everything in order.
Up next:
Make sure you have consent and that your contracts/agreements are GDPR compliant
Create a manageable archive
Consent is the way to a clear consciousness
Whether the personal data is acquired through an employment contract or a website, consent must be “freely given, specific, informed and unambiguous.” You have to inform the data subject of your identity, the purpose of the data you collect, how they can withdraw their consent and where they can complain if they feel their rights have been violated. In Denmark, complaints are handled by Datatilsynet.
Silent acceptance is not considered consent, as it has to be given actively to be GDPR compliant. Ticking a box on a website is considered affirmative and active, but the box cannot be pre-ticked.
When you are asking for consent it has to be clearly distinguishable from other matters in a written document. It must be written in an “easily accessible form, using clear and plain language.” You will not be able to hide it in the middle of a Terms and Conditions-text that has the length of a Charles Dickens novel.
The purpose of the processing should be clearly stated. If the processing has multiple purposes, consent should be given for all of them. Also, the purpose has to be legitimate. You should also inform the data subject of how long you plan to keep the data. If you suddenly find a new purpose for the data, you should get consent again.
The data subject must be aware if you share personal data with a Data Processor and for what purpose. You have to make sure that the processor is GDPR compliantand you must appoint the processor in the form of a binding written agreement. We will provide you with a free template for such an agreement very soon.
This might seem like a lot of information, but it is quite straightforward if you only collect data on your employees. You just have to make sure you have their consent and that you only collect the data you need to achieve your purpose. Name, bank details and social security number is necessary to pay salary. The legal purpose is clear and the employee has an interest. Explain that in the contract, and you will be fine. Are you monitoring your employees and obtaining their data for statistics? Fair and square, but it also has to be transparent and specifically stated. A good advice is to keep data collections at a bare minimum. Play it safe, when in doubt.
This is very important for new hires, but you need to make sure that your existing employees are noticed of their legal rights as well. We recommend that you revise all contracts while you are at it.
Organize, organize, organize
The right to be forgotten entitles the data subject to have the data controller erase his/her personal data if it is no longer relevant to the original purpose or if the data subject withdraws the consent. It even states that it should be equally easy to withdraw consent as to give it. The data controller has to notice the data processor if a person wants his/her data removed and erased.
The data subject also has a right to access. They have the right to know whether or not personal data concerning them is being processed — where and for what purpose. If the data subject asks for it, you have to be able to provide them with a copy of the personal data, free of charge, in a machine-readable format.
Data portability is another new thing in the GDPR. Data portability means that a person must be able to receive the data in a readable and interoperable format. A person such be able to move, copy and transmit their personal data to another controller and another IT-environment. At best it should be possible to download the data directly.
All of this is quite easy to manage with the right tools. If you keep all your employment contracts in a random binder or in some endless unorganized email thread, you will have a hard time living up to this.
With a tool like Contractbook, you can make sure that all your contracts are kept organized in one place. They will be erasable, easy to access and you can trace the entire process, which enables you to prove your compliance if needed.
Next week we will be back with Step #3 — Security.
