The GDPR will be enforced as of May 2018. Should all personal data in the database be weighed against the GDPR (including the consent), or do the new rules only apply to new personal data?
It is true that the GDPR will be enforced as of May 2018. However, this is the end of the two-year transition period, the time that organizations have had to implement the GDPR. During this transition period, organizations are expected to take the necessary steps to comply with this new legislation.
Actions before May 2018
The actions that the organization has taken (mailings, calling campaigns, etc.) prior to May 2018 will not be judged under the GDPR, but under the rules that apply until May 2018. So there are no GDPR fines that can be imposed for the behavior of the organization prior to May 2018. The sanctions that apply until May 2018 apply to possible violations before May 2018.
Conversely, of course, actions after May 2018 will be judged under the GDPR and the sanction regime that applies there.
Records of processing activities
If the organization, in accordance with art. 30, is obliged to keep a Records of processing activities, then that Record must be complete, so including the processing up to that moment. It is therefore not a Record that starts in May 2018 and registers the processing from that moment on, but a complete picture of the processing at any time. Of course, the Records of processing activities must also be revised periodically after May 2018 and adjusted if necessary.
Rework on consent?
For processing personal data for which, in accordance with art. 6 and 7, consent has been selected as the legal basis, it must be possible to provide evidence as per May 2018 that this consent has actually been given. If in the past consent has been obtained, but has not been recorded, then the organization would do well to determine whether this consent can still be reconfirmed and stored as evidence. This could be done by requesting to reconfirm consent in a mailing, for example, with a link to a web form. This mailing could also be used in a positive way to bring the new privacy policy, and/or the privacy notice to the attention of data subjects. Something that many large companies have already done.
DPIA with retroactive effect?
Guidelines have been drawn up by the Working Party 29 for carrying out data protection impact assessments (http://ec.europa.eu/newsroom/document.cfm?doc_id=47711). On page 13, the question is asked whether data protection effect assessments must be carried out for already existing operations. It states that “The requirement to carry out a DPIA applies to existing processing operations likely to result in a high risk to the rights and freedoms of natural persons and for which there has been a change of the risks, taking into account the nature, scope, context and purposes of the processing”. It is assumed that the existing (high-risk) processing operations have already been checked by the supervisory authority or by the data protection officer. If this is not the case, it is wise to also carry out the DPIA with retroactive effect. The insight that results from this is the basis for the organizational and technical measures that have been taken. It therefore also has added value to conduct a DPIA on existing operations.
Providing information to those involved with retroactive effect?
Must the privacy notice, in accordance with art. 13 and 14, still being provided to data subjects whose personal data have been recorded? The law doesn’t answer this question directly. It seems that this is not required, but the organization is wise to consider the following:
- Make the privacy notice easily accessible to data subjects. For example, by including it on the website, by including it as a link in mailings and by including a link in every email signature for example.
- Consider if it can be combined if consent should be reconfirmed by data subjects.
- A clear privacy notice contributes to the transparency that the organization applies regarding informing data subjects. This will be considered positively in case of an investigation by a Supervisory Authority and it contributes to the trust of data subjects in the organization.
I’m curious to know your opinion or experiences regarding this aspect of GDPR. Comments are welcome!
