Secure personal data
Under the GDPR you need to ensure you protect any personal data with appropriate security measures. Good examples are password encrypting files when you send them to people, using drive encryption on your laptop or desktop such as BitLocker, not using business data on a private mobile phone or ensuring to use only encrypted USB sticks. It is as important to avoid loss by accidental deletion so ensure you have an adequate backup plan for all data.
Protect data on Children’s
Its not something a lot of companies think they cover but its more common than most people think. Do you hold a list of children’s details from work fun days or store images of the events. Do your company support ecommerce where a juvensile could purchase items or services without age verification? Does you customer support solution gather details on incidents where both adults and children may be involved such as medical or insurance scenarios.
Marketing preferences
Engage your customer audience and empower them with methods to electronically manage their marketing preferences. You need to tell the customer what data your are recording on them. If you are providing a mobile application that monitors location, if you want to email them about new products or services or if you want to SMS them updates on a case, in all of these cases your are going to have to give the customer an opportunity to opt in or out of these options. You are also going to have to record the contents of how the opt in \ out processes were presented to the customer and a record of what updates they made.
Disclose personal data only to the authorised persons
A person’s private data is only allowed to be disclosed to them or someone with legal rights to the data. This data cannot be provided to a person’s partner, children, co-workers or anyone claiming to be the person who has not provided a valid confirmation of their identity. This also covers other organisations who may ask for data from time to time such as auditors, government bodies and other 3rd parties that you have not preapproved with the data subject. The data subject needs to be informed of any 3rd party you release their personal data to. Legal rights such as those involved in criminal investigations may have rights to access the data however you should consult your legal team in these scenarios.
Control how data is used
It is very common for organisations to retain data because they think it might be useful at some point. Under the GDPR you can only hold data you have a legal basis to hold or the relevant consents from the person. You may think that a PPS number is useful information to gather on an individual however if you have no legal basis to hold this data and its not necessary for the purpose of your intended use of the data, then it should not be held. You also need to ensure that the quality of any data you hold is maintained and verifed with the user where possible. Any updated or unnessessary data should be deleted and you should avoid making copies of data if they are not needed as part of your data backup strategy.
Respect a data subjects rights under the GDPR
There are 8 data subject rights under the GDPR
- The data subject’s right of access which means they have the right to know whether data concerning him or her are being processed and if so, access to it.
- The data subject’s right to rectification. When personal data is inaccurate, then you need to correct it or allow them to do so.
- The right to erasure or right to be forgotten.
- The data subject right to restriction of processing of their data.
- The right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.
- The right to data portability so they can move their data to a different company or provider.
- The right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority, any direct marketing (including profiling) or any processing for purposes of scientific/historical research and statistics
- Rights related to automated decision making including profiling which produces legal effects concerning them or similarly significantly affects them.
Handle data confidentially
At this point, we can see how important controls are around personal data. In any communcation in business, when it comes to privacy, all communication should be done confidentially. You should only release data to the minimum amount of people needed, use secure methods to protect data and only disclose the data that is necessary. An example would be sending a list of people’s data internally in a company when all you want to ask is for clarification on the data of just one person.
Provide your companies data privacy policy
Ensure your company has a clear, consise and easily understandable data privacy policy and that you refer to it in all communication with a data subjects whether is it verbally, by letter, in email or by electronic means. This data policy needs to be updated to reflect the new data subject rights under the GDPR.
Privacy by Design
Privacy by design is an approach to company projects that promotes privacy and data protection compliance from the start of the project right through to it’s ongoing use. Unfortunately, these issues are often bolted on as an after thought or ignored altogether but it is much easier to comply with data protection requirements if it’s a fundamental design principle in the whole process. It also ensures that everyone in the project has data protection foremost in their inputs into the project.
If you or your company need any assistance with GDPR , please message me.