My visit to a phone store recently was to assess how they handle personal information in front of everyone. A social engineer only needs to set their phone device on record to get all an individual's information without having to write it down. With all that data at someone's fingertips, they can target individuals easily. Question: This is an information (era) age where lots of data is out there. Are we doing enough or is it laxity? Tell me
According to the Information Commissioner, UK)
According to the ICO, organizations are permitted to process personal data on six legal bases. In this order,
(1) Consent – Clear consent is required from the individual before processing their data for a specific purpose. Most organizations will ask if they require consent to process personal data. This may not be necessary as consent must be freely given, clear, and easy to withdraw as it is to give consent.
(2) Contract – There should be a legally binding contractual agreement before processing an individual’s data. They should ask for permission to take specific steps before entering into a contract.
(3) Legal Obligation – When processing personal data, one must comply with the law, but this does not involve when it comes to entering into a contractual obligation.
(4) Vital Interest – This can be a rare occasion where processing is required to save someone’s life or as a way of protecting the data subject.
(5) Public Task – This is processing activity that could occur by a government entity or on behalf of a government entity. Therefore, processing is necessary based on the law to be performed in the public interest for specific purposes.
(6) Legitimate Interest - This is like a market activity as a way of processing activity where the data subject must personally expect from the organization. However, if an organization processes personal data it has to perform a balancing test to check if the processing activity is necessary for the organization to function or if its processing activity outweighs any objective in putting the data subject at risk or may harm the data subject's rights. The processing is necessary for the legitimate interests of both the subject and the third party unless there is a reason to protect individual personal data.
It is an organization-like market activity where the data subject must expect something from the organization. When an organization processes personal data, it must perform a balancing test to determine whether the processing activity is necessary for the organization to function or if it outweighs any objective in putting the data subject at risk or harming the data subject's rights. In most cases, both the subject and the third party are entitled to have their data processed for legitimate purposes unless there is a reason to protect individual data.
An explanation of the legal basis for processing personal data must be provided whenever that data is processed.
To process personal data, an organization must demonstrate when and how the consent was granted. Using tick boxes to prove consent is no longer sufficient; organizations must keep a clear, separate, and archival record of consent. As a result, the legal basis for processing provides a way to respond to data subject requests and rights. In some cases, legal consent is required for the granting of rights.
Data processing for a contract may involve other applications, such as race, ethnicity, biometrics, and healthcare data, all of which are considered sensitive data that need a certain level of legality.
Besides, organizations might face challenges when handling various types of data concurrently. For instance, an organization might possess data on its customers and suppliers. For processing customer data, there is a legal requirement that the data they hold for their customers and clients must be completely different from the data they hold for their employees. As a result, organizations must ensure they adhere to all legal bases for processing data and follow the balancing test when processing data. Organizations must utilize a single legal basis for processing data at any given time. It's worth noting that there's no specified legal basis for processing data that's inherently superior. The most appropriate legal basis is the organization's purpose for collecting personal data about the subject. Therefore, a legal basis must be established before processing activity can begin.