Search
Filters

gain lawful Consent

Consent of the Individual and the lawful processing of personal data
What is Personal Identifiable Information
Article 4, the text states:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’) an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person 

For companies it is now time to revisit Consent

(7) Consent should be given by a clear affirmative act establishing a freely given specific informed and unambiguous indication of the subjects agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means or oral statement . This could include clicking a box on the internet

  • Consent must be
    Freely given
    Unambiguous
  • Requires affirmative action
  • For Sensitive data , must be explicit
  • Can be withdrawn at any time
  • Not available where there is a clear imbalance in the relationship
  • Multiple purposes need multiple consents

Additionally

  • Don’t mislead by asking for consent where you do not need it
  • Don’t dress up marketing consents as service messages
  • Consents must be refreshed every two years
  • Data sharing – every third party must be named
  • Consent must be granular
  • Review the basis of current consent

Lawfulness of Consent: Article 6
Lawfulness of processing

1 Processing shall be lawful only if and to the extent that at least one of the following applies (a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes

GDPR lawful purposes for ordinary data include processing on the basis of

  • Specific Consent
  • Legitimate interests of the data controller
  • Necessary for the performance of a contract
  • Compliance with a legal obligation
  • In order to protect the vital interests of the data subject or of another natural person
  • Necessary for performance of a task carried out in the public interest

What data is Captured?

  • What are data controllers and data processors ?
  • What is personal data?
  • The regulation applies to :

The processing of “personal data”

by automated means and by non automated means

  • Special data (Sensitive data)
  • Other data

personal data and identifiers

Data subject is identified or identifiable natural person

  • Personal identifiable information – information relating to a data subject
  • Identifiable information
  • Name – identification number – social identity factor
  • Financial information – Philosophical beliefs – family life
  • occupation – professional capacity

Questions to establish Personal Identifiable Information

The questions blocks when identifying Personal Identifiable Information

Are you answering yes to any of the following questions? If so, the data is likely to be ‘personal data’ for the purposes of the DPA.

1. Can a living individual be identified from the data, or, from the data and other information in the possession of, or likely to come into the possession of, the data controller?

2. Does the data ‘relate to’ the identifiable living individual, whether in personal or family life, business or profession?

3. Is the data ‘obviously about’ a particular individual?

4. Is the data ‘linked to’ an individual so that it provides particular information about that individual?

5. Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?

6. Does the data have any biographical significance in relation to the individual?

7. Does the data focus or concentrate on the individual as its central theme rather than on some other person, or some object, transaction or event?

8. Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity?

If you answered no to all of the above questions, the data is not likely to be personal data for the purposes of the DPA.

Personal Identifiable information: Special data – requires specific consent

  • Racial or ethnic origin
  • Political opinions
  • Religious or Philosophical beliefs
  • Trade union membership
  • Genetic data (new)
  • Biometric data (new)
  • Data concerning health or sex life
  • Sexual orientation

Special note on financial data – data - special category

Other data types and definitions

Data Consent: Children Article 8

If services are offered directly to children, you must communicate privacy information in a clear plain way that a child will understand.

If your business offers “Information Society services” directly to children, your business is required to have systems in place to verify the individuals ages and to obtain parental consent where required.

Other Data

Not all information is personal data. For example, financial data about companies, or records of the performance of public services are obviously not personal data. Instead of relating to individuals, data may also relate, for example, to fauna or flora, buildings, civil structures, temperature, or quality of air or sea.

“data such as the service register of a car held by a garage containing the information about the car of an individual “

Biometric Data (new)

‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data

Anonymised data

Anonymised data are not personal data to the extent that they have had all personal elements likely to identify an individual removed, such as name, address, date of birth, national insurance number, national health service number or tax reference number. De-identified data or pseudonymised data, sometimes called “key-coded data”, are a form of anonymised data presented at the individual level rather than aggregated, where individuals are distinguished by the use of a unique identifier which does not reveal their real identity. Among the different types of anonymised data, pseudonymised data pose a high level of reidentification risk.

Pseudonymisation of Data

'the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person.'

Communicating Privacy Policy

Review of Privacy notices

  • Review and update your privacy documents
  • Make information easily accessible in different formats
  • Access to Privacy at all points of consent
  • Privacy policy is to separate from terms and conditions.
  • All Third party's receiving information need to be named
  • Contain details of the use of the data
  • Define the data retention policy

Data Retention

Set a Data Retention Policy

  • This may vary within different tasks - internal – customer channels
  • For what purpose is the data kept
  • Has the purpose been fulfilled
  • Do you need to keep the data for any potential future claims
  • Ensure you have policies in place
  • How will the data be destroyed

paper – electronic – third party services – archive or storage

Individual Rights: What about existing data?

Where processing is based on consent pursuant to directive 95/46/EC , it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is inline with the conditions of this regulation. ( Evidence )

Data Retention : a company will need to ensure that data concerning an individual should be “limited to what is necessary for the purpose for which they were processed”

Data controllers should establish that data due for erasure is reviewed with in a periodic review policy

Policies and Procedures for Access

Set policies and procedures to deal with enhanced rights to individuals

Subject Access Right changes and impact

  • No fee, previously £10.00 (unless extensive)
  • A Shorter time to respond 30 days
  • Has the purpose been fulfilled
  • Returned in the medium it was created
  • Data about children belongs to them not their parent/guardian and broader outlines need to be considered and frame work provided
  • Further detail to be provided on request from individual

Individual Rights: Right to be Forgotten

Circumstances when request can be made by individual:

  • If identified use of the data is no longer necessary
  • Consent withdrawn and there is no other legal ground for processing
  • Individual objects to direct marketing/legitimate interests
  • If the Data is being unlawfully processed
  • To comply with legal obligations
Welcome to Simple Data Safe
Submit a Request to Download Your Copy
I confirm that I want to receive educational material, product announcements and information from simpledatasafe.co.uk and they hold my data for that purpose only.

You have a right to request stop anytime.

(Full details available on the use of data are available within the privacy policy area on this web site)
GDPR consent
Sorry! could not submit your request.
Thank you, to submitting your request. Please click to download your check list and information guides.
Submit Your Detail
In order to provide you with the reports upon completion of this assesment please provide the following information
I confirm that I wish to use this risk assessment and receive education material, product announcements and information from simpledatasafe.co.uk and they hold my data for that purpose only.

You have a right to request stop anytime.

(Full details available on the use of data are available within the privacy policy area on this web site)
GDPR consent
Sorry! could not submit your request.
Enquire Now
I confirm that I want to receive educational material, product announcements and information from simpledatasafe.co.uk and they hold my data for that purpose only.

You have a right to request stop anytime.
(Full details available on the use of data are available within the privacy policy area on this web site)
GDPR consent
Sorry! could not submit your request.
Thank you, for your interest.
One of our representatives shall call you back as soon as possible.
Sign Up with us for a Free Trial
GDPR consent
Sorry! could not submit your request.
Thank you, your request for a free trial has been submitted successfully.
We shall confirm as soon as your account is ready to go.