Your Most Burning Questions About GDPR Answered. Part 3/3

Written by Karolina Lubowicka

Published May 07, 2018

learn more about gdpr

In this series of articles we tackle issues related to GDPR and governments, charities, SMEs, and more. Read on to learn how to prepare your business for the changes the new Regulation is bringing.

How to process sensitive data and data about children?

Both of these can be considered special types of data. Processing them imposes some additional duties on you.

When data processing involves children and depends on their consent, there are two things any organization collecting this data must do:

  • implement an age-verification mechanism, and
  • verify parental responsibility.

What’s more, you should also ensure that information about consent, forms, etc. is written in a way that children can understand.

The State of GDPR Consent

Overview and scoring of how websites have adapted to data privacy regulations

GDPR characterizes special categories of data in this manner:

Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

If you want to process this kind of data, you’ll need to legitimize its use under one of the nine conditions set out in Article 9(2). Among them, the regulation lists explicit consent – probably the easiest option for legitimising the use of special data categories in marketing activities.

Explicit consent can be thought of in much the same way as the GDPR’s standard requirements for obtaining consent. The difference is that it must be obtained in a way that leaves no room for misinterpretation.

An explicit consent statement should also refer only to the element of the processing that requires explicit consent.

As the Information Commissioner’s Office (ICO) states,

The statement should specify the nature of data that’s being collected, the details of the automated decision and its effects, or the details of the data to be transferred and the risks of the transfer.

And as with regular types of consent, you shouldn’t seek explicit consent if there is any other lawful basis to obtain data. You can process data without consent if it’s necessary for:

  • a contract with the individual
  • compliance with a legal obligation
  • vital interests
  • a public task
  • legitimate interests.

If you’d like to read more on the subject of GDPR, sensitive data, and children, we recommend this extremely informative blog post written by Aurelie Pols, a leading expert on data privacy:
GDPR & Children: Teaching Kids How to Lie on the Internet

How will GDPR affect Small and Medium Enterprises (SMEs)?

According to one ICO enforcement manager,

Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.

This means that even small and medium enterprises will have to take the same steps as big organizations to start processing data in line with the new regulation.

However, in Recital 13 Taking account of micro, small, and medium-sized enterprises GDPR states that:

To take account of the specific situation of micro, small and medium-sized enterprises, this Regulation includes a derogation for organisations with fewer than 250 employees with regard to record-keeping. In addition, the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation. The notion of micro, small and medium-sized enterprises should draw from Article 2 of the Annex to Commission Recommendation 2003/361/EC.

Unfortunately, at this stage it’s difficult to assess exactly how Member States are going to address this issue.

If you want to better understand what exactly to change in the way you process your clients’ data, check out this blog post:
How Will GDPR Affect Your Web Analytics Tracking?

Or just browse the GDPR section on our website, which offers a solid overview of the most important aspects of the new Regulation.

Also be sure to check out this extremely helpful document created by ICO:
Preparing for the General Data Protection Regulation(GDPR) – 12 Steps to Take Now

How will GDPR affect employee data? GDPR and HR

As you already know, the new regulation applies to personal data in all forms. Employee data is no exception here. Of importance for employers is the fact that, in most cases, consent won’t be the legal basis they should rely on when processing the data about their employees.

Recital 43 of GDPR states that:

In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.

However, the Article 29 Working Party advises that in the case of employers, the balance of power is also too far to one side, and there is a risk that users’ consents will not be fully voluntary.

That’s why companies will need to invoke one of the other legal grounds to process HR-related personal data. This could be, for example, contractual necessity, a legal obligation, or the legitimate interest of the employer.

If you’d like to dig deeper into the subject of GDPR and HR, this article by Fieldfisher may come in handy:
The New EU Data Protection Regime Rrom an HR Perspective.

How will GDPR affect the Finance & Banking industry?

The impact of GDPR on the banking sector is a very complex issue.

That’s why we decided to write a separate article about it:
GDPR in Banking – How to be Sure Your Web Analytics Complies With the New Law.

Be sure to check it out!

Are charities and voluntary groups affected?

Charities and voluntary groups are also affected by GDPR.

The legislation puts strong emphasis on the responsibilities of data processors and data controllers, no matter what institution is processing the data. It means that charities as well need to ensure that they collect, store, and manage user data in a GDPR-compliant manner.

If you have more questions about charities and data processing, we recommend these extremely helpful FAQs created by ICO:
General Data Protection Regulation (GDPR) FAQs for charities.

Does this apply to governments and public institutions (like schools, for example)?

GDPR applies to all companies and organisations processing the personal data of European citizens, no matter what size they are or the industry they are in. Even though they’re not corporations doing business, they are still subject to potentially heavy fines under GDPR.

If you’d like to read more about how GDPR will impact local governments, we recommend this guide created by the not-for-profit IT services provider Eduserv:
Guide to GDPR for Local Government.

The State of GDPR Consent

Overview and scoring of how websites have adapted to data privacy regulations

Some conclusions

We trust that the information presented above has given you some more good tips on preparing for GDPR. However, if you’ve got questions that we haven’t addressed here, don’t worry. Feel free to drop us a line anytime you want, we’re always happy to help!