GDPR (4) Fair use of personal data
This instalment looks at the basic principles of the GDPR and the resulting obligations that you, as the controller, must fulfil with regard to the processing of personal data. It also includes six steps you can take to help ensure you are compliant by May 2018.
The GDPR seeks to create a regulatory framework that enables businesses and organisations to make use of personal data and at the same time guarantee the privacy of data subjects wherever possible.
The basic principles governing the legitimate use of personal data are as follows:
- you must be transparent about the data you keep and the processing operations you carry on;
- the data must be processed in a manner that is lawful and fair;
- the rights of the data subjects must be guaranteed;
- the confidentiality and integrity of the data must be respected;
- the controller’s liability must be established.
These principles are not new to privacy legislation, and over time they have come to be defined in a more systematic, clear way.
The most important obligations that controllers have to fulfil under the GDPR stem directly from these principles.
- Transparency is achieved by being clear about the personal data you keep, the type of processing you carry on and the objective you wish to achieve by processing the data. Information covering this must be easily accessible and be written in clear, straightforward language that can be understood by all.
- The fair use of personal data means that the data must be acquired in a lawful manner, that you must use it exclusively for the set purpose, and that the amount of data collected, and the length of time for which the data are kept, must not exceed what is necessary in order to achieve that purpose.
- Every data subject has a right to information concerning the way in which you process their data. They may ask to inspect their individual data and may have the data corrected, supplemented or removed. In certain circumstances, a data subject may stop their data from being processed. Ensuring all these rights are respected is not an easy task.
- Respecting the data means you must do everything possible to ensure the data are entered correctly and kept up-to-date and secure, so that they are not wrongfully published or used for the wrong purpose.
- The controller must be able to demonstrate that it complies with all its obligations under the regulation and is liable for any shortcomings.
These objectives will obviously be fully supported by all those who recognise the importance of corporate social responsibility. The GDPR and the more detailed explanations supplied by the national supervisory authorities (in Belgium this is the Privacy Commission) should therefore be considered as a help, rather than a way of imposing privacy constraints, as companies and other organisations can use these documents as a guide for achieving important goals while continuing their current activities.
The most important steps that data processing controllers have to take during the coming months in order to ensure compliance with the new regulation by 25 May 2018 are briefly summarised below.
- Set up records of processing operations involving personal data. This is an obligation under the GDPR, and as from 25 May 2018 you must be able to present these records to the Privacy Commission when you are asked to do so. You should primarily consider this to be a useful resource for yourself. This is because the records will provide you with a picture of all the personal data that you use. The records must state the type of data concerned, the type of processing involved, the purpose for which the data are processed and the legal grounds for processing the data.
- Prepare a privacy statement. This must be easily accessible wherever you collect contact details and other information about individuals.
- Check whether you have adequate security for all the personal data you collect. Is your network secure? Do you encrypt your files that contain personal data or use password protection? When data are no longer required, are they safely removed? (This applies to both digital data and data in printed form.)
- Draw up instructions that set out what needs to be done if a data subject contacts you in order to exercise their rights, to ensure that you can take the necessary action in time. Who will receive the request? Who will do what?
- Draw up a clear procedure containing all the steps to be taken if a data breach occurs and there is a risk that the privacy of data subjects could be infringed. Are all of your employees aware of this procedure?
- If you hire in third parties to process personal data, ensure there is a contract in place that clearly describes exactly what the subcontractor has to do and what its obligations and responsibilities are under the GDPR.
Each of these action points will be worked out in detail in future instalments of this blog, in which a general discussion will be accompanied by practical tips. But first of all we will examine how you can find the best person in your organisation to lead the GDPR project.
Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).
If you have any questions or comments, please write to us at firstname.lastname@example.org.