The GDPR requires organisations to maintain records of processing activities
in an effort to update rights for a networked world.
For processing to be lawful under the GDPR, an organisation needs to identify a lawful basis before it can process personal data which in turn has an effect on individuals’ rights. The regulation defines the lawful bases available for processing personal data along with special categories of data and organisations must document this.
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action and consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions and there must be simple ways for people to withdraw it.
This is a lawful basis if personal data needs to be processed to fulfil contractual obligations to them; or because they have asked the organisation to do something before entering into a contract (eg provide a quote). If it could reasonably achieve what they want without processing their personal data, this basis will not apply. The decision to rely on this lawful basis should be documented with justified reasoning.
Records of processing
If an organisation has more than 250 employees, it must maintain internal records of its processing activities. With less than 250 employees, it is required to maintain records of activities related to higher risk processing.
The regulation includes rules on giving privacy information to data subjects which place an emphasis on making privacy notices understandable and accessible. Whilst data controllers are expected to take appropriate measures to make this happen there is still discretion to consider where the information required by GDPR should be displayed in different layers of a notice.
There are new provisions intended to enhance the protection of children’s personal data. Where services are offered directly to a child, an organisation must ensure that its privacy notice is written in a clear, plain way that a child will understand. If an online service is offered to children, consent may be needed from a parent or guardian to process the child’s data.
Solvassure. Compliance Technology.