GDPR regulation is less than a year away, and too many companies are sticking their corporate heads in the sand, warned Andrea Ward, a lawyer with ten years experience covering data protection.
“You need to be wary about consent,” warned Ms Ward, Senior Associate, McGuireWoods London LLP. She was speaking at the GDPR Summit London, where she rammed home the importance of preparing for GDPR.
The fines for failure to comply are potentially crippling – up to 20 million euros or four per cent of turnover – of course, “but to begin with,?companies need to assign responsibility and prepare an information audit,” suggested the employment law lawyer.
She also warned that GDPR doesn’t only apply to EU based companies, but to the processing of personal data of data subjects who are in “the Union by a controller or processor not established in the Union.”
Turning to consent, she emphasised that it must be “freely given, informed, specific and explicit” and can not be”Implied.”
In practice this “requires a clear statement; or affirmative action” and must be “distinguished from other matters.”
The consent must be “Intelligible and in easily accessible form, with clear and plain language.”
The regulation also requires that the ‘controller’ – that’s the individual or indeed group of individuals responsible for overseeing GDPR compliance – must “demonstrate that data subject has given consent, inform the data subjects that they have the right to withdraw consent at any time, and it must be as easy to withdraw, as it is to give consent.”
That’s just a small part of course, the basics of GDPR compliance are easy to understand said Ms Ward, but if the devil is in the detail, then companies who are not prepared need to be devilishly quick in changing that.
For more on GDPR check out the GDPR Report and www.gdprsummit.london