ALDE VALLEY SUFFOLK FAMILY HISTORY GROUP and the GDPR ①
A. Because all holders of others' personal data in the EU must now comply with the GDPR ...
The EU General Data Protection Regulation (GDPR) aims primarily to give control to citizens and residents over their personal data, and became enforcable on 25th May 2018. It brings a new set of "digital rights" to EU citizens over their personal data, which comprises, according to the European Commission, "any information relating to an individual, … anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information or a computer's IP address".
The Data Protection Act 1998 and similar earlier UK data legislation broadly related only to computer and closely related systems. However, it is important to know that the new EU Regulation applies to ALL personal data held on others, including in paper-based systems, and that its applicability will be unaffected by any changes resulting from Brexit.
The Regulation applies if the "data controller" (an organisation that collects data from EU residents), or the "processor" of data, or the "data subject" (person), is based in the EU. Data may not be processed unless there is at least one legal basis to do so. One of these bases is that the "data subject" has given consent to the processing of personal data for one or more specific purposes. If consent is used as the legal basis for processing, consent must be explicit for data collected and the purposes the data is used for. Data controllers must be able to prove "consent" (opt-in) and consent can be withdrawn by the data subject.
The Information Commissioner's Office (ICO) advises that "consent should be specific and granular, so your records also need to be specific and granular to demonstrate exactly what the consent covers. ... Give granular options to consent separately to different types of processing wherever appropriate."
The ICO adds that "explicit consent requires a very clear and specific statement of consent, … separate consent for separate things. Vague or blanket consent is not enough. … Make it easy for people to withdraw consent and tell them how. Keep evidence of consent — who, when, how and what you told people. Avoid making consent to processing a precondition of a service."
Above all, consent must be "unambiguous and involve a clear affirmative action" by the person agreeing to their data being held.
Furthermore, the Regulation's "right of access" gives citizens the right to access to their personal data and information on how that data is being processed. A "right to be forgotten" was replaced by a less limited "right of erasure" in the version that was adopted by the European Parliament in March 2014.