5
Action(s) / Deliverable(s) Description of GDPR Requirement
GDPR
Fair
Processing
and Consent
Review your existing grounds for lawful processing and confirm
that these will still be sufficient under the GDPR (e.g., can you
still rely on consent given the new requirements?) and ensure
that the lawful basis for processing is explained in the privacy
policy
Consider whether your organisation is processing any sensitive
personal data and ensure the requirements for processing
such data are satisfied
Where consent is relied upon as the ground for processing
Personal Data, review existing consents to ensure they meet
the GDPR requirements, and if not implement a process to
seek new consents
Ensure systems can accommodate withdrawal of consent
In order to lawfully process Personal Data, one of the conditions of
processing, as set forth in the GDPR, must be satisfied. While the
grounds for processing are broadly the same as those set out in
the current Data Privacy Directive, the GDPR imposes new
requirements to gain valid consent: consent must be freely given,
specific, informed, and unambiguous. There must be positive opt-
in (consent cannot be inferred from silence), consent must be
separate from other terms and conditions, and simple options to
withdraw consent must be available.
Under the GDPR, privacy notices must state the processing
ground relied upon, and if relying on legitimate interests, state the
nature of the legitimate interest. This will be important as
individuals’ rights will be different depending on the lawful basis for
processing, e.g., there will be a stronger right to be forgotten where
consent is used as the lawful basis.
Consider whether the specific requirements relating to consent
from children apply to your organisation (see Children).
5, 6, 7, 9, 10,
85- 91
Notices /
Vetting - HR
Review and update, where necessary, employee and
candidate notices to be GDPR compliant
If you currently conduct criminal records checks, review national
laws to ensure you can continue to do so
There is an emphasis on transparency in the GDPR. Notices must
be clear, concise and informative. Employees must be adequately
informed of all data processing activities and data transfers and
the information set out in Articles 13 to 14 must be provided.
Criminal records can no longer be processed unless authorised by
member state law.
10, 12-14
Notices -
Customers
Review and update, where necessary, customer privacy
notices to be GDPR compliant
Consider whether your notices have to accommodate “child-
friendly requirements” (see Children)
There is an emphasis on transparency in the GDPR. Notices must
be clear, concise and informative. Customers must be adequately
informed of all data processing activities and data transfers and
the information set out in Articles 13 to 14 must be provided, e.g.,
the legal basis for the processing of personal data. Notices must
also be compliant with the new Consent requirements where
relying on consent as your lawful ground of processing.
12-14
Children
Identify whether you process personal data of children
Seek local counsel advice regarding applicable local law
restrictions, codes and guidance
The GDPR requires parental consent for the processing of data
related to information society services offered to a “child” (ranging
from 13 to 16 years old depending on member state). The GDPR
8, 12