Trillium Insights

Thoughts and Insights from Trillium's Practice Leaders

How do you obtain and maintain GDPR consent?

How do you obtain and maintain GDPR consent?

General Data Protection Regulation (GDPR) is the legal set of guidelines for the collection and processing of personally identifiable information (PII) by organizations within the European Union (EU.)  GDPR also applies if personal data of an EU resident is maintained, regardless of where the organization is located, so it’s impacts are far-reaching.  The deadline for implementation (May 25, 2018) is quickly approaching (or may have passed, depending on when you’re reading this) so if your organization are impacted by GDPR regulations, your preparations should be well underway.  One of the rules surrounding GDPR relates to obtaining explicit consent to retain PII, as well as for opting out.  What are some ways to deal with collecting permission to maintain PII?

  • Setting up a method for obtaining explicit permission to maintain PII depends on how the data will be used.  You could use electronic forms, emails, or scanned documents with customers’ signatures.
  • Maintaining consent information as an integral part of your compliance records in the event of an audit by regulators.  However, any method of consent must be provable with a clear audit trail in the event proof must be required.  Oral consent is NOT considered proof.
  • Providing a method for your customers to provide permission or opt out, and maintain that information as well.  This is especially important as data can be used “behind the scenes” for profiling purposes.
  • Noticing that there are some similarities between GDPR and the United States’ Health Insurance Portability and Accountability Act (HIPAA) data rules for Protected Health Information (PHI.)  If your organization already deals with HIPAA, you undoubtedly already have some procedures for handling PII.  However, GDPR is much more far-reaching so your existing processes will require review and revision.      

More specific guidelines are contained within the GDPR articles.  As you obtain consent and add controls in your systems to secure data, be proactive and contact your mailing list to indicate your organization’s commitment to and compliance with GDPR. 

Trillium has significant experience in privacy, cybersecurity, as well as process and procedure mapping and implementation.  We can assist your organization in determining your level of risk related to GDPR consent, what you can do to obtain and prove consent, and what your path forward should be.

GDPR is here – are you compliant?

GDPR is here – are you compliant?

General Data Protection Regulation (GDPR) is a legal set of guidelines for the collection and processing of personal information within the European Union (EU,) and is scheduled to come into effect on May 25, 2018.  GDPR rules impact companies, government agencies, non-profits, and any other organizations that offer goods and services to people in the European Union (EU), or collect and analyze personal data tied to EU residents, and failure to comply can result in financial penalties or prohibition on data collection.  One way to view GDPR is like the Health Insurance Portability and Accountability Act (HIPAA) data rules for Protected Health Information (PHI), only for other organizations that collect personally identifiable information (PII.)    GDPR is applicable regardless of where your company is located – including the United States.    

If your organization does business with the EU and collects or uses personal data in an automated manner, here are some of the key issues/ concerns you need to be aware of.  They include:

  • PII must be protected prior to being processed, so that PII can’t readily be attributable to an individual
  • Where PII is routinely used, such as in human resource records, it must be protected so that it cannot be identified
  • Where data is aggregated for warehousing, that data must be protected from identification, which may minimize the amount of data that organizations collect to only that which is pertinent to complete a specific transaction  
  • Organizations must keep records of their compliance and demonstrate such compliance to regulators
  • Organizations are required to notify supervising authorities about data breaches and must document the incident, its impacts, and actions taken to remediate the breach
  • Depending on the type and size of the organization, a Data Protection Officer may be required

While GDPR was passed in 2016, it is still a work in progress, and regulations and processes will likely be clarified to meet the demands of the regulations.  However, it does mean that your organization needs to be vigilant and ready to minimize any penalties.

Trillium has significant experience in privacy and cybersecurity, and can assist your organization in determining whether GDPR impacts your organization, and what may be required to bring you into compliance.