Under the EU General Data Protection Regulation (GDPR) obligations, companies must provide clear notice to their customers of the purpose for which their data is being collected and consent must be “freely given, specific, informed and unambiguous.” This is an incredibly important requirement for organizations to understand, which can be broken down into two parts, or concepts: Notice and Opt-in (Choice).
What is a privacy notice?
However, under the new EU GDPR obligations, privacy policies must be clear, concise and understandable. Privacy notices should clearly and effectively communicate complex and important information to people with basic education, which can help promote consumer understanding and save a company time and money.
What does Choice mean according to the GDPR?
Opt-in is the idea that information sharing will not occur unless consumers affirmatively allow it or request it. Opt-out is when businesses give consumers an opportunity to refuse sharing of information about themselves – with the presumption that they will choose to share their information. The consumer must take action to change that selection. Thus, in the Opt-out scenario, the default is that you have agreed to share all of your information. If you don’t want to do so, you must proactively inform the business.
This is an incredibly important requirement for participating organizations to understand. This will very directly impact how they collect information, record the purpose for which that information was collected, and then store, use, and share that information. For example, if a company collects customer data to provide technical support, they must clearly state that reason for collection. The data subject must proactively opt in to allow his or her data to be collected for that purpose.
What can GDPR participants do with this data?
Once the company receives that data, it can only use the data for that limited purpose. The only exception is if they obtained specific and explicit permission from the customer to use their information for other purposes. As they store the data in their systems, it needs to be clearly marked (for example with a metatag) so that it is not inadvertently combined with other data where it might be used for a different purpose.
This is particularly important to note for organizations that regularly share customer data with external parties – particularly sharing is not related to the original data collection purpose. It may also have implications for companies that hold data collected over a period of time and are later subject to a merger or acquisition.
Also, the Opt-in requirement means that many organizations will need to create layered consent mechanisms demonstrating that an individual has chosen to have data shared with third parties, or to use the data for a separate purpose. As many organizations collect data (and obtain consent) through their websites or through an internet portal, this will require a major revamp of current consent mechanisms and Opt-in/Opt-out practices. This will of course be true for in-person or non-web based consent forms as well.
What can you do to prepare for GDPR obligations?
Give consumers a choice about whether or not to provide data. You need to clearly indicate what personal information you are requesting and/or collecting from consumers, give them a choice about whether or not to provide it and then clearly mark the data you have collected with that purpose specifically, this means that you cannot leave your policies to chance or luck.
Sign up for our GDPR Response Guide to learn how you can take a risk-based approach to GDPR compliance.