Suzanne Dibble

One of the key elements that underpins the General Data Protection Regulation (GDPR) is how you, as a data controller or a data processor, secure and protect the personal data you collect, store, and process. Data security isn’t just an IT issue — it affects every area of your operations, and it involves everyone at every level of your business.

You should include opt-in wording wherever you are collecting personal data and relying on consent as your lawful grounds for processing, unless it is clearly obvious from the circumstances that, by providing personal data, the data subject will be consenting. You will typically see opt-in wording presented within just-in-time notices.

A Data Subject Access Request, or DSAR, is a written request made by the data subject for information they’re entitled to ask for under the General Data Protection Regulation (GDPR). Don’t confuse a DSAR with a request under the Freedom of Information Act (FOIA) or similar legislation in other jurisdictions where data can be requested from a public authority.

If you are relying on the lawful grounds of consent to process personal data, you generally will need to use opt-in wording to obtain that consent. In some cases, you will need explicit consent opt-in wording (if you are processing special category data, for example).If, however, you are instead relying on legitimate interests to process personal data (checking always that the ePrivacy Directive does not require consent), then you do not need opt-in, but you must offer an opt-out.

Your privacy notice must be as user friendly and as understandable to the data subject as possible — often a difficult task when including detailed information and references to complex legislation.Supervisory authorities encourage you to use the following elements — perhaps with icons to draw attention — to communicate your privacy notice to data subjects: Layered privacy notice: This layout makes the text easier to read and understand by “chunking” the text under text underneath collapsible headings that can be expanded to reveal more information, as shown in the following figure.

The function of your cookie policy is to provide clear and comprehensive information to your website users about the cookies you’re using and what type of cookies they are (functional or session, for example). Assess your cookies To create your cookie policy, you need to know what cookies you’re using on your website and what their purpose is.

To process personal data, you need to have lawful grounds for processing, as provided for in the General Data Protection Regulation (GDPR). Consent is likely to be the appropriate ground where you want to offer a real choice to people — for example, whether they want to receive your marketing emails. Many people think that GDPR is all about consent, but that isn’t true; consent is just one of six potential lawful grounds for processing personal data.

One aim of the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, was to harmonize data protection laws across Europe — so its legal form is a regulation (an order that must be executed) as opposed to a directive (a result to achieve, though the means to achieve aren’t dictated).

Human error causes the vast majority of data breaches. This makes it absolutely essential that you, as a data controller or processor, provide all relevant staff with suitable training on data protection matters. In fact, Article 39 of the General Data Protection Regulation (GDPR) provides that the data protection officer (DPO) shall provide staff involved in processing operations with training in data protection matters.