GDPR: Don’t forget the Recitals!
A perspective from Mohit Sahgal.
There are so many references and interpretations on GDPR Articles; yet very few, if any, references to the Recitals. Today, there are 99 active GDPR Articles, but there are 170+ GDPR Recitals. In general, there are several Recitals per Article. The Recitals provide significant guidance on clarifying the implementation of a specific Article. Naturally, the guidance still requires interpretation, but the additional information is useful.
Chapter II Principles, Article 7 – “Conditions for consent” is a good example. In addition to the Article 7 requirements, there are four – Recitals 32, 33, 42, and 43 which must be reviewed. Recital 32 clarifies the conditions under which consent is required. Recital 33 clarifies consent for “scientific research purposes”. Recital 42 clarifies consent specifically for a controller. And, Recital 43 is a reminder that consent is not the sole basis for the lawfulness of data processing, and that consent is required for each type of data processing. Lastly, lest we forget, Article 83 5 (a) reminds us of the fines that may be incurred if consent is inappropriately addressed.
Four key takeaways:
- Err on the conservative side – request consent for every type of data processing
- Document the consent, and all subsequent changes to the consent that an EU subject may make over time
- Ensure the data processing is lawful or required by law, regardless of whether consent was given
- Enable an EU subject to review their consent(s) and withdraw their consent(s) as and when they may invoke their right
Designing a “consent master”, self-service capability is essential. Facebook, for example, has introduced a “privacy center”, reorganizing and centralizing various types of security settings in one place. Designed correctly, a centralized, integrated, self-service approach reduces risk, and potential exposure to inquiries, audits and fines.
Mr. Mohit Sahgal is the VP of Analytics of Paradigm Technology. He is an accomplished senior executive with decades of management consulting expertise. Mohit has held various leadership positions including Senior Executive at Accenture, Partner at IBM, Partner at Capco, and Executive Director at Ernst & Young LLP.
Mr. Sahgal LinkedIn profile can be found here: www.linkedin.com/in/mohit-sahgal
Paradigm Technology is a strategic consulting company serving the banking, airline, manufacturing, high-tech and retail marketplaces. We utilize innovative business and technology solutions to help clients enable their digital transformation programs, and improve their Analytics, Cloud, Master Data Management, and Project Leadership solution delivery. Paradigm is ready to support you in your GDPR compliance journey. For more information about Paradigm Technology and GDPR, email email@example.com or visit us at www.pt-corp.com.