GDPR – Consultant – iReto
Get guidance from a GDPR consultant
Because of the operational measures involved, the GDPR is strongly linked to ICT. Yet this is essentially also a journey in which governance (Board) plays a crucial role. “Regulation requires a company to take measures according to risk.” In doing so, Europe does not prescribe concrete steps, but it does require a company to correctly assess and cover risks.
This is precisely why a lot of companies still have questions surrounding the GDPR. Basically, the bottom line is that the company’s top management needs to know the risks. As part of this, top management must give the organization the resources needed to protect the data.
It automatically follows that the company’s operational management must also be able to assess the risks. A close collaboration between ict and the company’s legal department is pressing. Such cooperation will be necessary. The ICT department at the operational level is usually not always familiar with the legal aspects of data use and security.
At the same time, more awareness is needed at the end-user level. Those are ultimately the people who will be working with the data. They need to know more about potential threats and data vulnerabilities. In other words, the hr department and through employee training, among other things, also have a role to play here.
Legal basis for processing under GDPR law
The GDPR places great importance on legality, proportionality and transparency with respect to the collection and processing of personal data and the rights of data subjects.
The GDPR states that before processing personal data, the controller must clearly define the purpose and state what it is using the data for.
So it is important that you properly identify and describe the purposes for which you will be collecting and processing member and user data, for example. You may not change or expand the purposes during the processing process immer without question.
The GDPR also lists some legal purposes that justify processing:
* Contractual basis (necessary for the performance of a contract , e.g. an employment contract)
* Legal obligation (necessary for execution of legal duty, e.g. imposed in a decree)
* Public interest or public authority (mandated by law, e.g., police)
* Vital interest (e.g., for urgent medical reasons)
* Justifiable interest (activity is otherwise not feasible), only if it outweighs the interest, rights and reasonable privacy expectations of data subjects
* Unambiguous consent (free, active and specific consent of data subjects)
Per the legal basis, care must be taken to minimize data to comply with processing. Eg in an employment contract, sexual orientation usually has no purpose or reason for existence.
Justified interest and unambiguous consent is best used as an application only if the other legal purposes do not apply. Eg employers must first rely on a legal or contractual obligation and then only as a last resort and exceptionally (even that is open to dispute) can they rely on consent or legitimate interest. (e.g., email verification)
Make sure that every decision and action you take passes the proportionality test or maw always ask the following question when processing;
“Is it really necessary as a function of our objective to:”
- collect and further process this data?
- Are there perhaps other ways?
- keep these records for so long?
- give all these individuals access to the data?
- continue to link this data to a specific person, or can we pseudonymize or better anonymize it?
Transparency (for natural persons)
In accordance with the principle of transparency, information and communication with data subjects in connection with the processing of personal data:
- Be concise, simple, accessible and understandable;
- Must use clear and simple language.
When communicating with stakeholders about:
- the identity of the processing controller;
- When requesting consent to processing;
- as well as at the target descriptions;
- In raising awareness of risks, rules and safeguards;
- existence of profiling and its consequences;
- explaining their rights
In specific processing of data from children, in such clear and simple language that the child can easily understand it.
What does a GDPR Consultant cost?
Calculate the cost to make your organization compliant with Privacy Law without obligation