Dave Farrelly from DF Consulting outlines the GDPR implications of applying new technologies and new ways of gathering personal data during Covid-19.
Last month, as we started to feel the full impact of the Covid-19 pandemic, we looked at how organisations need to think about the management of personal data through such a crisis.
Continuing our monthly series on practical GDPR (General Data Protection Regulation) business compliance we look at some of the considerations when introducing technologies and new ways of acquiring personal data.
“Businesses must continue to be GDPR-compliant, even through these unprecedented times”
As ‘remote working’ and ‘contact tracing’ become part of our everyday vocabulary we must continue to bear in mind the need to comply with GDPR.
Last month we talked about how organisations are changing the way they are doing business, whether it be by fully working remotely, selling online or developing new technology solutions. It’s important to be reminded that the Data Protection Commissioner (DPC) has made it clear that data protection laws will not stand in the way of the provision of healthcare and the management of public health.
However, businesses must continue to be GDPR-compliant, even through these unprecedented times.
Over the past month we have seen technology play a key part in helping control and combat Covid-19 as well as enabling businesses to continue to operate or switch their selling model from in-person to on-line.
So, what are some of the key considerations for businesses introducing new technologies and new ways of acquiring personal data currently?
Do you need to conduct a Data Protection Impact Assessment (DPIA)?
The DPIA is a new obligation under GDPR and must be completed where changes to processing operations are likely to result in a ‘high risk to the rights and freedoms of data subjects’. The DPIA is very much a risk assessment to identifying the risk impact and severity of processing personal data in a new or different way.
Organisations are expected to embrace ‘Privacy by Design’ ensuring that personal data protection is considered at every stage of the development process. The DPIA references all 7 Data Management Principle of GDPR and checks for compliance when new or different data processing activities are introduced.
The DPIA follows a typical risk assessment methodology with excellent guidance from the Data Protection Commissioner available to help you identify when it is required and the benefits of taking a formal approach.
Is your business acquiring personal data in a fair and transparent way?
Principle 1 of GDPR stipulates that organisations must acquire personal data in a fair and transparent manner with a legal basis for doing so. As you introduce new technologies and new ways of doing business are you making it fully clear to data subjects as to what personal data you are acquiring from them and for what purpose?
Think about the registration process for a new mobile app to do contact tracing, adding e-commerce functionality to your website or the installation of additional security cameras in your business premises.
Is your business using consent as a legal basis for the acquisition of personal data?
As a lot of businesses embrace digital marketing and on-line selling in a more structured and aggressive manner it is important to remember that, if using consent, as the legal basis for processing personal data it must adhere to new standards under GDPR.
Your business must be able to demonstrate how and when consent was provided including the communication of a clear purpose for the acquisition of the personal data. Data Subjects must always be given the option to opt-out or unsubscribe from marketing communications and promotions as well as be communicated with at least once in every 12-month period to ensure the validity of consent as the legal basis for such processing.
Stay safe out there!
Dave Farrelly is a seasoned GDPR consultant offering businesses practical guidance, training and solutions to GDPR compliance. You can see more details on what Dave and his associates can support your business with at http://www.dfconsulting.ie/ Dave can be contacted directly at firstname.lastname@example.org.
Published: 28 April, 2020