The General Data Protection Regulation (GDPR) comes fully into effect on 25th May
2018.
I suggest this soundbite to sum up the GDPR; “Nothing about me without me”.
The phrase is not new, it comes most recently from the UK National Health Service in the terms “No decision about me without me”.
Under the GDPR, processing of personal data (possession is processing) must be legal; it must be lawful. Each act of processing must be confirmed to be lawful and
documented. That means that organisations must show and prove compliance by
reference to records kept in relation to all personal data processing activities, specifying the purpose of the processing, the lawful basis for the processing, who the data subjects are, details of any recipients that the data may be shared with, retention policies and security measures taken.
An essential element of GDPR requirements is the obligation to have the data subject’s
consent to the processing. Forms of “consent” previously valid or sufficient may not suffice for the GDPR.
So, if an organisation cannot conform to a standard in the terms “Nothing about me
without me”, it will be acting illegally, as of 25th May 2018 if it processes personal data. Remember, possession is processing.