Processing
personal
data

The GDPR requires organisations to maintain records of processing activities
in an effort to update rights for a networked world.

Records of processing

If an organisation has more than 250 employees, it must maintain internal records of its processing activities. With less than 250 employees, it is required to maintain records of activities related to higher risk processing.

Lawful basis

For processing to be lawful under the GDPR, an organisation needs to identify a lawful basis before it can process personal data which in turn has an effect on individuals’ rights. The regulation defines the lawful bases available for processing personal data along with special categories of data and organisations must document this.

Consent

Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action and consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions and there must be simple ways for people to withdraw it.

Children

There are new provisions intended to enhance the protection of children’s personal data. Where services are offered directly to a child, an organisation must ensure that its privacy notice is written in a clear, plain way that a child will understand. If an online service is offered to children, consent may be needed from a parent or guardian to process the child’s data.

Privacy notices

The regulation includes rules on giving privacy information to data subjects which place an emphasis on making privacy notices understandable and accessible. Whilst data controllers are expected to take appropriate measures to make this happen there is still discretion to consider where the information required by GDPR should be displayed in different layers of a notice.

Find out more about Solvassure