Tuesday, 29 May 2018

GDPR and naming Data Controllers

Image: four dogs via Creative Commons So we all think that we've done all we need to do to comply with GDPR, gaining consents, allowing withdrawal of consents and breaking down consents to a granular level.

However, it looks like the regulations demand something a little more complex than that.

What the regulations specify is pre-consent naming of each controller for each data collection purpose, and granular post-consent withdrawal, naming each controller for each data collection purpose.

Recital 42 of the GDPR notes that:
"For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing". [11] All controllers (including "joint controllers" that "jointly determine the purposes and means of processing" [12]) must be named. [13]
As each purpose already has to be clear and each opt-in requires a "clear affirmative action" that is both "specific", and "unambiguous" with no pre-ticked boxes, then it seems Recital 42 requires that a consent request should be made with granular options for each of these purposes, and names each controller that processes personal data for each of these purposes.

Which we think should look something like: 
Specific purpose 1 | controllers A, B, C | options: Accept / Refuse
Which suggests we all need to scuttle back to our consent forms to check both the wording, the content and the layout. RC

No comments:

Post a Comment

At least try to be nice, it won't kill you...