Data Mapping – high-level steps
Select the data subject types with whom you interact (customers, employees etc.). For each data subject type, select the purposes (reasons) for processing their personal data, the lawful basis for the processing and the retention period (in other words, how long you hold on to the data). Then, for each purpose, select the types of personal (and sensitive) data that you process. Under Processing, indicate where you process data in-house and externally. Under Data Sharing, indicate to whom you disclose personal data (other than to Processors). Complete the process by indicating where each data type is collected.
Use a balanced approach. Define your processing purposes so that are not vague to your data subjects, so that they understand what they may be agreeing to but remember that, being overly descriptive or steeped in legal jargon may also prove distracting and non-informative.
If you’re relying on ‘consent’ as the lawful basis:
Individuals must be given a free choice, there should be no pressure on them to agree, the processing that they are agreeing to must be clear to them, there must be evidence of a clear indication of their agreement, when they tell you to stop, you must stop processing, the language you use must be simple and clear and the message must be prominent and not buried in some lengthy privacy notice or terms and conditions.
If you’re relying on ‘legitimate interests’ as the lawful basis:
It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. You must complete a legitimate interest impact assessment (LIA), thereby, identifying the legitimate interest; showing that the processing is necessary to achieve it; and balancing it against the individual’s interests, rights and freedoms. You must keep a record of any LIA to support your justification for using this lawful basis.
Automated Decision Making
That is, where decisions are taken by machine, without human intervention - e.g. use of an algorithm to automatically accept or deny an online credit application; an automated processing of CVs that evaluates (profiles) personal aspects of individuals to determine if they will qualify for a position; automated monitoring of an employee’s productivity used to automatically determine their pay.
Where profiling, done by computers, produces legal effects (decisions) concerning individuals, or similarly, significantly affects individuals:
individuals must be informed about decisions based on profiling;
they have a right to challenge the use of profiling, especially where legitimate interest is the lawful basis;
they may demand the opportunity to make representations and for human intervention in decision making;
data protection impact assessments have to be carried out where profiling will have significant legal effects on the individual
Data Protection Impact Assessment (DPIA)
A DPIA is a process for building and demonstrating compliance and must be done where a type of processing is likely to result in a high risk to data subjects. Examples of high-risk processing include - evaluation or scoring, including profiling and predicting; systematic monitoring; sensitive data processing; data processed on a large scale; datasets that have been matched or combined; data concerning vulnerable data subjects, such as children, the elderly, the sick; and data transfer across borders outside the European Union.
A processor is an external, legal entity to whom you send personal data to be processed on your behalf, under written contract. The processor cannot use the personal data for his or her own purposes. Personal data is not ‘shared’ with a processor.
Data Sharing (i.e. Disclosure to other Controllers)
e.g. a local authority disclosing to an anti-fraud body, a school to a research organisation or 2 or more controllers jointly determining a new purpose for collection and use of their clients' personal data. A travel agent sending clients’ personal data to a hotel for bookings is not an example of data sharing. In this case, they are separate controllers who must independently comply with the GDPR.
Transfers of personal data outside the EU
The conditions upon which you may transfer depend on the country you transfer to and whether the transfers are internal to your organisation. For countries that are not whitelisted you must ensure that you incorporate approved model clauses into your contracts and agreements. Transfers within a group of undertakings must be protected by binding corporate rules.
Doing business online with Children
Conducting e-business with children requires parental consent and communications with children must be simple enough for them to understand. Member States have different age-limit classifications for children. Because children represent a more vulnerable group of society, organisations should, in general, refrain from profiling them for marketing purposes. Children can be particularly susceptible in the online environment and more easily influenced by behavioural advertising. For example, in online gaming, profiling can be used to target players that the algorithm considers are more likely to spend money on the game as well as providing more personalised adverts. The age and maturity of the child may affect their ability to understand the motivation behind this type of marketing or the consequences.
They should not be seen as a single document or notice that is displayed on the home page of a website. They should be presented:
before or at the start of the data processing cycle i.e. when the personal data is being collected either from the data subject or otherwise obtained
as layered notices, where specific attention must be drawn e.g. as in obtaining consent;
throughout the whole processing period i.e. when communicating with data subjects about their rights;
at specific points while processing is ongoing, for example when data breaches occur or in the case of material changes to the processing;
not only in digital format but also where hard-copy is relevant.
Where a controller or a processor not established in the Union is processing personal data of data subjects who are in the Union whose processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, or to the monitoring of their behaviour as far as their behaviour takes place within the Union, the controller or the processor should designate a Representative
Read more about legitimate interest impact assessments here
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018