<

[Webinar] Learn how to a build a cloud-first strategyRegister Now

x

Do you know what data you're capturing?

Published on
3,079 Points
79 Views
Last Modified:
Adrian McGarry
Information is at the heart of my experience in IT, with over 20 years as a Data Protection Officer.
Following on from our article on "The Murky World of Consent and opt in", we thought we would issue some helpful guidance, not only on consent itself but knowing what information you are capturing, what you are doing with this data and how you can prove the lifecycle of this data when it comes to a

Following on from our article on "The Murky World of Consent and opt in", we thought we would issue some helpful guidance, not only on consent itself but knowing what information you are capturing, what you are doing with this data and how you can prove the lifecycle of this data when it comes to a Subject Access Request.


Asking for Consent

Let's start with one of the ending points of our previous article, "As a rule of thumb; only use explicit consent as a last resort, as this can be withdrawn at any time".  The first thing to consider is whether consent is the best and most appropriate lawful form of processing?


When it comes to opt-in, have you stated the opt-in for your customers and data subjects in clear, plain language and not buried it deep in a set of terms and conditions?  Also not using any pre-ticked boxes as they must positively opt-in themselves and have granular options that clearly define the specific processing types; email, telephone, post as just a few examples of such definitions.


When asking for consent have you stated the basic essentials?  Who your organisation is and how you are going to be using the data.

How about informing the individuals that they can withdraw their consent at any time? Explain they can even refuse to consent without detriment to them, or that not providing consent is not a precondition of providing a service.

Most importantly if the service you are offering is online and directed at children, then only to seek consent if you have age verification in place and parental consent measures to back up this consent.


Record and Manage Consent

Let's move on to how you record and manage consent.  How do you record how you obtained consent, when you obtained it and exactly how this was stated to the individual at that time?  This is a requisite of a privacy notice.

Do you regularly review consent, checking if the purposes for processing are accurate and if they have changed, that you have processes in place to refresh the consent at an appropriate period (especially parental consent).

Have you considered the use of a preference management tool, like a gateway or portal, to make it easier for individuals to manage or withdraw their consent and have you made public these measures of how to use these tools?

Letting your customers know that you will not penalise them for withdrawing their consent and that you process these consent withdrawals as soon as feasibly possible is good practice, as well as a good customer service ethic.

Now you have your consent in order, do you know what you are actually capturing?  This also extends to what you have already captured.


Data Audit

A data audit is a good practical step to help in understanding the information you hold and knowing your processes.  How you capture this data will aid with how and what you are using it for. Information also requires review, to consider how good the quality of the data is, as often you are reviewing this information you hold to assess who has access to it, who you share it with and then decide how you implement control over the data you hold.

The final piece should always be about retention and indeed the right of erasure, but these are covered in our other articles and throughout the be.GDPR and be.Privacy products.


The new data protection law (GDPR) will impact every organisation that holds or uses European personal data, not only applies to organisations located within the EU, but also apply to organisations located outside of the EU. To help explain this further please read our article on “GDPR are you ready?” 


For more information on who the EU GDPR affects please read our other articles https://www.beinfoready.co.uk/latest-data-news/


So having followed this advice, when you receive your first Subject Access Request under the General Data Protection Regulation, you can provide everything you need quickly and certainly within the allotted one month response period, then you can truly state that you can be.Infoready.

0
Comment
0 Comments

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Join & Write a Comment

This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
Suggested Courses
Course of the Month20 days, 13 hours left to enroll

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month