Data Collection Requirements under GDPR
According to the GDPR, certain information may be collected and stored as long as the users remain completely anonymous. You may not store data in such a way that the users can be tracked. Data must be held for the shortest amount of time possible. The GDPR requires organizations to collect personal data only on a lawful basis. Article 6 of the GDPR provides the following 6 lawful basis:
- Consent: where the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Performance of a contract: where processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
- Compliance with legal obligation: where the processing is necessary for compliance with a legal obligation to which the controller is subject.
- Vital interests: where the processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Public interest: where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Legitimate interests: where the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
In addition to the above lawful bases, organizations must be mindful of key data collection and processing principles. Article 5 of the GDPR provides the following key data protection principles:
- Lawfulness, fairness and transparency: this principle requires organizations to collect and process data lawfully, fairly, and in a transparent manner.
- Purpose limitation: this principle requires organizations to collect and process data only for specified, explicit, and legitimate purposes.
- Data minimization: this principle requires organizations to collect data only that is adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
- Accuracy: this principle requires organizations to keep the data accurate. In case data is inaccurate, organizations need to either erase the data or have it rectified.
- Storage limitation: Once data has served its purpose, it should be removed from the organizations’ servers in order to save space and avoid any compliance issues. Data cannot be stored for longer than is necessary for the purposes for which it is processed.
- Integrity and confidentiality: this principle requires organizations to ensure that personal data is protected against unauthorized or unlawful processing or security incidents and it has appropriate security controls at all times.
- Accountability: this principle holds organizations responsible for the protection of personal data. Organizations must be able to demonstrate compliance with the applicable legal requirements.
What Organizations Need to Record
Under Article 30 of the GDPR, organizations are required to keep written records of data processing activities. These records should consist of the following items:
- Contact details of all controllers, processors, and DPOs
- Methods by which information is gathered
- Categories of information collected
- Categories of data subjects
- Categories of recipients of this information
- Purpose of data collection
- Use of data
- Specific groups affected by this data-gathering
- Transfer information to third countries, including third country or international organization
- Estimation of how long the data will be retained or data retention periods
- Security measures undertaken to protect subjects' personal data
Touchpoints of GDPR Collection
When collecting an individual's data, there are several things an organization needs to make sure of in order to stay compliant with the GDPR. There are a number of ways that an organization can obtain an individual's data (These are known as touchpoints).
A few examples of touchpoints include:
- Emails
- Social media channels
- Live chat applications
- Reverse IP lookup
- Cookies on the company’s website
In order to make sure that data collected via afore-mentioned touchpoints is in line with the requirements of the GDPR, organizations must ensure the following:
- Processing of personal data only on lawful grounds.
- Appropriate security controls to prevent data losses or security incidents.
- Adequate fulfillment and timely responses to data subjects’ requests.
- Adequate fulfillment of breach notification requirements.
- Regular Privacy Impact Assessments and Data Protection Impact Assessments (DPIA) to mitigate any potential privacy risks in data processing activities.
- Adequate consent management processes and records of data subjects’ consent for consent-based data processing.
- Updated and comprehensive records of data processing activities (RoPA).
Conclusion
Collecting data is the first step an organization takes, which opens up privacy concerns for organizations. In order to remain compliant with privacy regulations, organizations need an all-in-one tool that can help them lawfully collect data and in turn stay in compliance with privacy regulations.
Securiti’s sensitive data intelligence solution allows organizations to honor all GDPR principles and requirements before collecting a consumer's data. It also allows organizations to protect this collected data and only use it for its intended purpose.
Sign up today to watch a demo and see how Securiti SDI can help your organization.
