GDPR – Determining GDPR Compliance – Part 2
Once your organization decides to become GDPR compliant, that is when fun starts – wading through the blogs, white papers, news coverage, conflicting information, etc. to determine exactly what needs to be done to ensure compliance. This probably seems like a lot of extra work but becoming GDPR compliant is not as hard as some news reports make it out to be. For those organizations that already follow existing data security standards, such as PCI DSS, ISO 27001, NIST, these new regulations should not be a burden.
GDPR has a series of requirements that your organization must meet to be compliant. The focus of this blog series will be to review these requirements step by step so that you can determine your organization’s GDPR preparedness. The previous blog, GDPR – Determining GDPR Compliance, we reviewed items such as Choice and Consent, Personal Data, Records of Consent, Individual Rights and Personal Data Security. In this installment, we will review Purpose and Use Limitations.
Legitimate Purpose Specification and Use Limitation
For this next portion of GDPR compliance, we look at the organization’s reasons for collecting and processing data from its data subjects. The main goal is to answer the following question: Is collecting and using data necessary for the functioning of the organization?
In order to meet this standard, the organization must:
1. Collect only the minimum data needed to accomplish the purpose.
2. Determine which lawful basis for collecting and processing the data.
3. Ensure that any intended further processing will be reviewed, and handled appropriately, prior to such use.
Collecting the minimum amount of data needed is fairly straightforward. For example, if you are collecting data for a mailing list, the organization would simply ask for the person’s name, address and what the person is interested in receiving. However, the second item, lawful basis – is a little trickier, so let’s cover that next.
Ensuring Data Processing is Lawful
In order for an organization to collect and process personal data, they must first have a lawful basis. Examples of lawful basis include:
· Consent of the data subject;
· Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a Contract;
· Processing is necessary for compliance with a Legal Obligation;
· Processing is necessary to protect the Vital Interests of a data subject or another person;
· Processing is necessary for the performance of a task carried out in the Public Interest;
· Necessary for the purposes of Legitimate Interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
A lot of organizations are intending to rely on Consent as the lawful basis. However, what happens when the organization has to utilize the data subject’s data for reasons other than what the consent is given for? For example, if a marketer collects data for a mailing list, but then wants to use that data for a separate direct marketing campaign? Using consent as a lawful basis would then require the organization to provide the data subjects with the means to opt in to the marketing campaign. Also, the organization must inform data subjects that consent can be withdrawn at any time and have a structure in place that can accommodate withdrawals. So, while using consent as the lawful basis may seem simple, this can get complicated over time.
One of the ways that an organization can use data without the data subject’s explicit consent is to ensure that the use of the data is essential for the legitimate interests of the organization. In order to meet this standard, the organization must ensure:
1. Purpose – The purpose of collecting the data must be necessary to the functioning of your business. For example, you can collect and store the bank data of employees for the purpose of paying them.
2. Necessity – The organization must prove that using the data is the only way to achieve its purpose. In the above example, the organization would need the bank data of employees in order to do a direct deposit to the employee’s account for payroll purposes.
3. Data Subject Rights – Do data subject rights outweigh the organization’s legitimate interest? If the organization opts to use the employee’s data in a manner that may not be reasonably expected – such as selling payroll data to a third-party, then the employee’s right to privacy would outweigh the organization’s legitimate interest in the data.
What Does this Mean to Your Company?
How the GDPR applies to US companies collecting, using, or maintaining personal data can be complicated – particularly regarding those who collect data pertaining to individuals located both in and out of the EU.
The difficulty of addressing these questions, as well as several other complicated areas, makes GDPR compliance for US companies an area that requires action to be taken as soon as possible. At Intrinium, we have been advising our clients to review their privacy policies and business needs to ensure that they are prepared to meet the requirements of the GDPR.