The GDPR tightens regulation around how the personal data of EU citizens is processed, and gives them more rights over who has their data and how they use it.
You can read more about what the GDPR is here, but suffice to say, we all now need to be very clear on why we hold data, and what we are and are not supposed to do with it (and of course the audit trail around this).
As the digital age has taken hold, we have all been gathering wads of data, and after you have finished using it, well you just leave it there, I mean it was only 100MB of data, which at current prices costs about £ 0.0035 to store.
Unfortunately many companies have often not thought about how long they should keep this data for, and may not have fully considered why they collected it in the first place, or indeed what the data subject agreed could be done with the data. And of course some companies have abused the data they hold by using it for purposes that were not originally agreed when the data was collected, such as selling it to third parties.
The Path to Compliance
This document is extremely important for letting users know what their personal data is being used for. It should specify:
- What personal data is being collected, and why
- What you will and will not do with the personal data
- How the personal data will be processed
- Who will be allowed to process the data and under what circumstances
- What the data subjects rights are
- Contact information for updating data or make a complaint
- How long the data will be retained for
Many privacy policies prior to GDPR did not contain this level of detail on how data was handled, and where this is the case, the agreements you have in place with data subjects who have provided personal data are not GDPR compliant.
Do data subjects have to give their consent again?
If the legal basis through which you are going to want to continue processing the personal data is ‘consent’, then, depending on how the consent was originally obtained, it may be that the consent is not now compliant.
In order for consent to be compliant, it must be:
- explicit (implicit and ‘soft opt in’ forms of consent are no longer permissible);
- as easy to withdraw as it was to provide, at any time;
- separate from any other matters, and in clear, plain language; and
- recorded by the Data Controller,
and, when collecting the personal data, the Data Controller must provide:
- their contact details and relevant personnel;
- the purpose of the processing;
- the legal basis upon which the processing shall be permitted;
- the legitimate interests pursued (where this is the legal basis);
- the recipients of the personal data (if any); and
- details of any intended transfers of the personal data outside the EEA,
and, in order to ensure the processing is fair and transparent, the Data Controller must also explain:
- the period for which the data will be retained;
- the rights of the data subject;
- the process for raising a complaint;
- any contractual implications in respect of providing, or not providing, the personal data; and
- any automated decision-making performed using the personal data.
As these requirements have changed since the time a previous consent may have been provided, the world+dog now wants to let you know that they have updated their privacy policies, and request your consent to continue processing your personal data.
We need your consent too!
Of course we are no different to anyone else; our consent records for our mailing list subscribers need to be updated to align with the GDPR requirements, and therefore before the 25th May, we will be asking our current subscribers to give their consent to continue receiving our newsletters. If any of those subscribers do not give their consent to continue receiving communications from us, we will delete their data and they will no longer receive them.
The effect of this (especially initially) is that we will have fewer subscribers than we currently have. This may not be a bad thing, as quality is better than quantity.
SWGfL is a charity promoting the positive use of technology in education, we work with a wide variety of groups, both nationally and internationally, such as schools, local authorities, government bodies, other charities, and commercial organisations.
As lead partner in the UK Safer Internet Centre, we also sit on the Online Safety boards for Google, Facebook, Twitter, Snapchat and others and advise government on Online Safety Strategy. We regularly publish research, resources and articles about all things technology in education and you can get the best articles delivered to your inbox every month by subscribing to our newsletter!
And yes our signup process is now GDPR compliant! If you feel like you are not quite on top of GDPR yet and need more guidance, we have an introduction to GDPR to help you understand the why, and have also published some more detailed GDPR Guidance for Schools, as well as a range of services that can help you.
Need more info? Just contact us.