How to apply the GDPR, practical tips for personal data administrators
An appropriate basis for the collection and use of personal data should be established
Consent is not the only basis for processing personal data. It should not be obtained while being entitled to collect and use personal data by law, or when the data is necessary to conclude a contract. Such action misleads clients, because their consent cannot be withdrawn
An information obligation should be complied in accordance with new rules
It should be remembered that the GDPR has introduced significant changes regarding the completion of so-called information obligation. Now, data subjects should be provided with more information. If a Data Protection Officer (DPO) has been appointed, his/her contact details must be provided. It is also company’s responsibility to indicate the period for which the data will be stored. More information should be provided about people’s rights – incl. on the possibility of withdrawing consent and the right to lodge a complaint with the President of the Personal Data Protection Office. While collecting or buying someone’s data from third parties or from publicly available sources, one becomes their administrator and one also has to fulfil the information obligation, even if it’s just a phone number or email address.
It must be remembered that transparency principle introduced by the GDPR is to be applied at all stages of communication with the data subject. It states: all information and all announcements related to processing of personal data should be concise, transparent and understandable, as well as formulated in a plain and simple language. The point is: texts should not be written by lawyers for lawyers – as it has often been the case before. They also are to be easily accessible. Therefore, a process of communication with the people whose data are processed should be properly organized; messages and information addressed to them are to be properly formulated. When justified, a possibility of layered information can be used – basic information should be provided first and then disclosed where to see the rest.
The rights of people are to be respected in all situations
The rights of people, whose data are processed, should be exercised. If an external entity, on the administrator’s behalf, concludes a contract for entrusting processing of personal data, it is its responsibility to exercises clients rights. If, for example, the entity conducts marketing activities, an administrator should be informed of any objections or requests for rectification of data. It is worth including the relevant provisions in a contract concluded with an entity. Customers will surely appreciate it.
Consent may be withdrawn at any time
The GDPR states that a person whose data has been processed on the basis of consent may withdraw it at any time and with no negative consequences (e.g. an increase in the fee for services). The person should be informed to have this right and be able to withdraw the consent as easily as she/he has given it.
Breaches of data protection should be reported to the President of the Personal Data Protection Office, and if necessary, also persons whose data has been breached should be informed
In case of personal data protection breach (e.g. leakage, loss or accidental disclosure to an unauthorized person), an administrator must without undue delay – if possible, no later than 72 hours after finding a breach – report it to the President of the Office for Personal Data Protection. The exception is a situation when it is unlikely an event would result in a risk of violating the rights or freedoms of natural persons. When the risk of violating these rights and freedoms is high, data subjects of the breach must also be notified. They should be provided with tips on what to do next, helped to take action to prevent or reduce negative consequences of a breach, such as the risk of identity theft.
Unnecessary documentation should not be created
The principle of accountability obliges to introduce internal procedures to ensure compliance with the GDPR and to demonstrate that personal data are processed correctly. It should be remembered that in order to prove various activities, e.g. obtaining consent, documentation in paper and signatures not always are to be collected. It can also be recorded or saved in the IT system. The procedures adopted, implemented and confirmed by employees’ declarations might constitute sufficient evidence.
The administrator has the right to profile, but must remember about limitations
The GDPR does not prohibit profiling. However, it should be remembered that the data subject must be informed about an intention of profiling and its consequences. However, when, on the basis of profiling, automated decisions are made(without human intervention) having legal effects or significantly affecting a person, their consent must be granted, unless this action legitimizes necessity to conclude or perform a contract or it is allowed by EU or a member state law.
Watch out for scammers
Threatening with high fines or demand for payment are popular methods of fraudsters who want to earn money easily on the GDPR! An incoming correspondence should be read more carefully. It should be checked who it was sent by and what it concerns. If it is from the Office for Personal Data Protection, it should be verified in terms of required elements, e.g. correct name of the office, correct addresses, authentic signatures, and if an official seal is original. An inspector is to present an inspection authorization and a service card. If support of companies operating on the market is necessary, their credibility and experience should be checked, and trainings and courses on protection of personal data should be chosen carefully.