General Data Protection Regulation (GDPR) is the legal set of guidelines for the collection and processing of personally identifiable information (PII) by organizations within the European Union (EU.) GDPR also applies if personal data of an EU resident is maintained, regardless of where the organization is located, so it’s impacts are far-reaching. The deadline for implementation (May 25, 2018) is quickly approaching (or may have passed, depending on when you’re reading this) so if your organization are impacted by GDPR regulations, your preparations should be well underway. One of the rules surrounding GDPR relates to obtaining explicit consent to retain PII, as well as for opting out. What are some ways to deal with collecting permission to maintain PII?
- Setting up a method for obtaining explicit permission to maintain PII depends on how the data will be used. You could use electronic forms, emails, or scanned documents with customers’ signatures.
- Maintaining consent information as an integral part of your compliance records in the event of an audit by regulators. However, any method of consent must be provable with a clear audit trail in the event proof must be required. Oral consent is NOT considered proof.
- Providing a method for your customers to provide permission or opt out, and maintain that information as well. This is especially important as data can be used “behind the scenes” for profiling purposes.
- Noticing that there are some similarities between GDPR and the United States’ Health Insurance Portability and Accountability Act (HIPAA) data rules for Protected Health Information (PHI.) If your organization already deals with HIPAA, you undoubtedly already have some procedures for handling PII. However, GDPR is much more far-reaching so your existing processes will require review and revision.
More specific guidelines are contained within the GDPR articles. As you obtain consent and add controls in your systems to secure data, be proactive and contact your mailing list to indicate your organization’s commitment to and compliance with GDPR.
Trillium has significant experience in privacy, cybersecurity, as well as process and procedure mapping and implementation. We can assist your organization in determining your level of risk related to GDPR consent, what you can do to obtain and prove consent, and what your path forward should be.