What is GDPR, Privacy Policy, and Tips on How to Comply - PART – 2
In continuation of our first post, where we explain GDPR and the related terminology, we will give you tips on how to comply. As there is a lot of information, we are going straight to the point.
Privacy policy
You need to inform your client how and why are you handling their data. Therefore, your website should contain an easy to access Privacy or Data Policy. The policy needs to approach those topics:
What data do you collect?
How do you collect the data?
How will you use the data?
How do you store the data?
Data usage for marketing.
What are cookies?
How do you use cookies?
How to manage cookies.
What is data protection?
Privacy policies of third parties.
How to contact your company and appropriate authorities.
How to comply with GDPR?
Read the GDPR. There is no shortcut here unless you hire a specialized law firm, and we advise you to do so.
Set a sense of urgency coming from the management, prioritizing cyber preparedness, compliance with global data hygiene standards. And designate data protection responsibilities to your team.
Involve all the stakeholders. They can better share information that will be useful to those implementing the technical and procedural changes needed and will be better prepared to deal with any impact on their teams.
Hire and appoint a Data Protection Officer (DPO) - Organizations must appoint a DPO if they carry out large-scale processing of special categories of data or monitoring individuals’ behavior tracking or is a public authority. GDPR doesn’t determine if the DPO needs to be a discrete position or someone within the company. The person should know data protection laws and have experience in a similar role to ensure personally identifiable information (PII) protection without conflict of interest. Depending on the organization, the DPO doesn’t need to be a full-time position, and it can be virtual. Their tasks involve understanding the GDPR and how it applies to the organization, advising people in the organization about their responsibilities, conducting data protection training, auditing, monitoring GDPR compliance, and serving as a liaison with regulators. And all the organizations need to ensure they have the skills and staff necessary to be compliant with GDPR legislation.
Create and maintain a data protection plan, and always review and update it.
Pay closer attention to your website and data.
Don’t forget about mobile devices.
Determine what data you need to keep - Ask yourself why are you storing this information instead of deleting it? What are you trying to achieve by collecting the data? Is the financial gain of deleting the data greater than encrypting it?
Set up a process for ongoing assessment – monitoring and continuous improvement.
Document the data you’re collecting - Include information such as how it is used, where it is stored, which employees are responsible for it, and who can access it. Map where all of the personal data in your entire business comes from. And identify if there are any risks to the data.
Establish procedures for handling personal data – Think about how individuals can legally give consent. What would be the process if a person wanted their data deleted, and how would you ensure it was done across all platforms? How would you transfer data if a person requested it, and how would you confirm the identity of the person making the request? What would be the communication plan in case of breach?
Handle data securely - Train your staff and implement technical and organizational security measures. Implement safeguards throughout your infrastructure to help contain any data breaches.
Implement measures to mitigate risk - Determine the appropriate level of security deemed necessary to protect that data. You want to know what data you store and process on EU citizens and understand the risks around it.
Test incident response plans - How well the response teams minimize the damage will directly affect the company’s risk of fines for breaches. Make sure you can adequately report and respond timely. If you have a data breach, you have 72 hours to report it to the data subjects or face penalties. This notification requirement may be waived if you use technological safeguards, such as encryption, to render data useless to an attacker.
Inform breaches - Breaches that can result in a risk to the rights of freedoms, lead to discrimination, damage to reputation, financial loss, loss of confidentiality, or any other economic or social disadvantage need to be notified to the authorities. They also have to be delivered directly to the victims with one-to-one correspondence, and media announcements aren’t enough.
Organizations also have to describe the potential consequences of the data breach, such as theft of money or identity fraud, inform the measures taken to deal with the breach, and counter possible negative impacts, and the contact details of the data protection officer or the person dealing with the breach.
Document your GDPR compliance progress – Organizations must demonstrate progress in completing the Record of Processing Activities (RoPA) and taking inventory of risky applications. It enables organizations to identify where personal data is being processed, who is processing it, and how.
Have data processing agreement contracts with the third parties you hire to process the data for you.
Ask for help if needed - We have some tips to help you organize your company to start the GDPR compliance process. However, VisionSpace is not a specialist, and you should still hire a lawyer to help you during the process.
Brexit and GDPR
UK government announced that Brexit will not impact the country’s enforcement of GDPR, as it will benefit the UK.
GDPR has a website with tools to help you address specific challenges and understand where to focus your efforts. It also has tips on privacy tools, risk mitigation, and updates on best practices. The website has a checklist and templates for data processing agreement, the right to erasure request form, and privacy policy.
Follow us on Linkedin, Twitter, or Facebook to get our updates.
This article was written by Juliane Verissímo - Marketing Department of VisionSpace.