While the underlying principles and rationale of the Directive remain the basis of the GDPR, several important changes are introduced. We have highlighted the following points as we believe them to be of particular relevance to Prezentor as well as our customers:
1. Expansion of scope
The territorial scope is expanded with the introduction of the GDPR - all organizations established or processing data of EU citizens will be covered, which effectively extends the scope well beyond the borders of just the EU.
2. Expansion of definitions of personal and sensitive data
GDPR widens the definitory boundaries for what is considered personal data. This is a crucial change as it may be conceptually challenging to grasp exactly what is covered by the term 'personal data'.
3. Expansion of individual rights
• Right to be forgotten: An individual may request that an organization delete all data on that individual without undue delay.
• Right to object: An individual may prohibit certain data use.
• Right to rectification: Individuals may request that incomplete data be completed or that incorrect data be corrected.
• Right of access: Individuals have the right to know what data about them is being processed and how.
• Right of portability: Individuals may request that personal data held by one organization be transported to another.
4. Stricter consent requirements
Consent is one of the cornerstones of the GDPR, and organizations must therefore ensure that consent is obtained in compliance with the GDPR’s stringent new requirements. You will need to obtain consent from your contacts for every specific usage of their personal data, unless you can rely on a separate legal basis, such as those found in number 5 below. However the safest route will be to obtain explicit consent, which is why we have developed GDPR-friendly forms to facilitate obtaining consent.
Things to consider with regards to consent:
• Consent must be specific and informed to distinct purposes.
• Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use and management of their personal data.
• Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent.
5. Stricter processing requirements
Individuals have the right to receive 'fair and transparent' information about the processing of their personal data, including:
• Contact details for the data controller.
• Purpose of the data: This should be as specific ('purpose limitation') and minimized ('data minimization') as possible. You should carefully consider what data you are collecting and why. Ultimately you shall be able to validate the aforementioned to a regulator.
• Retention period: This should be as short as possible ('storage limitation'), of course with due respect to other valid reasons for retention, such as legal/ regulatory requirements or professional guidelines.
• Legal basis: You cannot process personal data merely because you want to. You must have a valid 'legal basis' for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented, or the processing is in the organization’s 'legitimate interest'.
As there are many other principles and requirements introduced by the GDPR that may apply to you, it is vital to review the GDPR in its entirety to ensure that you have a complete understanding of all its requirements and ultimately ensure compliance.