‘Legitimate interests’ is the most flexible lawful basis available for processing. However, it won’t always be appropriate. You must show you’ve balanced your own interests against the individual’s interests and if there is another less intrusive way to achieve the same result, then it should be followed.
If you decide to use legitimate interests as the lawful
basis of your data processing, then a Legitimate Interests Assessment (LIA) must be completed in all instances. An LIA is effectively a risk assessment. It ensures you have gone through a comprehensive decision-making process to balance your own interests and those of the data subject.
There are three key elements. You need to:
- Identify what your legitimate interests are
- Show that processing the data is necessary
- Balance this need against the individual’s interests, rights and freedoms
8. Handling data breaches
A personal data breach is defined by the ICO as ‘any breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. This
includes both accidental and deliberate breaches. You need to ensure that you have strong processes in place to detect, report and investigate potential personal data breaches.
Some organisations are already required to notify ICO
if they have suffered a data breach. You will only need to notify them of a breach, if there is a risk to the rights and freedoms of individuals and could potentially result in them being discriminated against, suffering financial loss, loss
of confidentiality, damage to their reputation or any other social or economic disadvantage.You will need to make your report to ICO within 72 hours.
9. Carry out a Privacy Impact Assessment (PIA)
GDPR makes privacy by design an express legal requirement. It also makes Privacy Impact Assessments (PIAs) - referred to
as ‘Data Protection Impact Assessments’ or DPIAs - mandatory in certain circumstances.
A PIA may not be required in all circumstances, but it is important to understand where it is necessary. Such as:
- Where a new technology is being deployed
- Where a pro ling operation is likely to significantly affect
- Where there is processing on a large scale of special categories of data
10. Assign a Data Protection Officer
The Data Protection Officer can have other responsibilities within the business. Certain organisations are also required to formally designate a Data Protection Officer (DPO). This includes:
- Public authorities (except for courts acting in their judicial capacity)
- Organisations that carry out regular and systematic monitoring of individuals on a large scale
- Organisations that carry out the large-scale processing of special categories of data, such as health records, or information about criminal convictions.
It is vital that whoever takes responsibility for your data protection compliance, does so effectively and has the knowledge, support and authority to carry out their role.
11. Consider international implications
This point is only relevant for organisations who carry out cross-border processing.
For any business which operates in more than one EU member state, you are required to determine and document who
your lead data protection supervisory authority is. That means you need to disclose who the supervisory authority is, in the state where your ‘main establishment’ is. (i.e. The location where your central administration in the EU is, or the location where decisions about the purposes and means of processing are taken and implemented).
If this rule applies to you then map out where your organisation makes its most significant decisions about its processing activities. This will help to determine your ‘main establishment’ and therefore your lead supervisory authority.
12. Update systems and processes
Now is the time. Ensure processes are updated and systems are adjusted in readiness for GDPR. Once you’ve mapped your data, considered the lawful basis for processing and documented everything – now is the time to take action and implement change! Don’t delay.
For more information see the IOC ‘Guide to the General Data Protection Regulation (GDPR)’
Ready to fuel your sales pipeline with GDPR compliant leads?
Uncover who your anonymous website visitors are, identify when they're ready to buy and access the contact details you need whilst also being compliant with GDPR.
Lead Forensics primarily sources business data, which is not applicable under GDPR. Where personal data is processed – the email address and names of the key decision makers, it is compliant under GDPR given the legitimate interest in your products or services from the pro-active visit by the organisation at which the data subject is employed. The beauty of Lead Forensics, is that whatever data we provide you with, it all stems from a legitimate interest. We only supply you with data for a company contact because someone from that specific organisation has visited your website, showing a legitimate interest in what you’re offering.
DISCLAIMER: Lead Forensics is a global market leading SaaS organisation. We have conducted extensive research into the GDPR and have an active working knowledge intended to help our clients to become better prepared ahead of the GDPR coming into force. Lead Forensics however does not provide legal advice on the GDPR and cannot be held responsible for the GDPR compliance of any organisation other than its own, it is the responsibility of each business to ensure their own compliance with the GDPR. If you have any need for legal advice, please contact a solicitor or visit the ICO website for further information https://www.ico.org.uk