GDPR compliance only becomes mandatory for businesses on 25th May 2018. But unless your data processing operations are trivial, it is in 2017 that you have to start preparing unless you want to be caught unprepared with unresolved data protection compliance issues.
So what would be the key wise things to do in 2017 regarding your GDPR compliance? Here are some tips on what you should pay attention to.
Do I have user consent for data processing?
Like the 1995 Data Protection Directive, the GDPR in some cases requires individual consent for the processing of personal data. In fact, it has always been safer to rely on consent than on another ground. This situation is not much different.
However, the standards for obtaining consent are getting stricter at the EU level. The request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Moreover, when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. In other words, think before you continue to condition the provision of your services on unnecessary data collection from individuals!
Do I process children’s personal data?
If you do, make sure you comply with extra requirements of the GDPR protection for the rights of children. In case of offering web services or mobile apps, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child.
In addition, Member States will be able to provide by law for a lower age for those purposes provided that such lower age is not below 13 years.
Do I need to appoint a Data Protection Officer?
As a business, you will need to employ or outsource a Data Protection Officer if your core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or where you process on a large scale special categories of sensitive personal data.
Such data comprise racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or data on criminal convictions and offences.