Develop Privacy Policy and Procedures for GDPR
xMatters is running a four-part blog series as a compliance checklist for the European Union (EU) – General Data Protection Regulation (GDPR). Part 1 was about a Data Protection Officer, and part 2 was about Data Protection Impact Assessments.
Part 3: Whether the GDPR applies to you or not, I know you have a privacy policy. Otherwise you don’t have any customers, and you’re out of business. However, under the GDPR, your privacy policy must serve some specific purposes that might not apply today. Let’s take a look at the privacy policy under the GDPR.
Your privacy policy sets direction and makes declarations to create a transparency for customers who interact with you. When you set an expectation and then meet that expectation, you remove risk and let your customers how you will use the information they provide to you. The privacy policy is also the public face of your privacy efforts. It might be just as boring as the terms of service no one reads before downloading new software onto their phones, but it isn’t boring to your customers – and it shouldn’t be boring to you.
In fact, from my experience, some potential customers will choose to walk away if they’re not happy with your privacy policy.
There are a number of areas in which the privacy policy can have an impact. Let’s look at some of the most important ones.
1. Understand Data Transfer Agreements (DTAs) and Onward Data Transfer (ODT)
Organizations transfer personal data all the time, which get processed in a second country or after an onward transfer to a third country or international organization. Under GDPR, certain conditions have to be met before an original data transfer or an onward data transfer to a third country or international organization can take place.
If the commission decides that the receiving country or international organization ensures an adequate level of protection, the transfer does not need any specific authorization.
Otherwise, a controller or processor must provide appropriate safeguards, and show that data subjects have effective legal remedies available.
After that, you would need to gain approval from the data subjects or meet other conditions that might be difficult.
2. Respect consent mechanisms
Consent is very specific and required under the GDPR. No more pre-checked boxes, sneaking consent for one thing in with others, or assuming consent. When consent is necessary for processing, the data subject must freely consent to processing of personal data through a clear action, so no more so-called “opt-out” consent” either.
For sensitive data, data subjects must give explicit consent, and you must give them an option to withdraw or refuse consent.
That means you too, marketers. Under the GDPR, all individuals have the right to object to direct marketing and profiling related to direct marketing. And under the GDPR, you must inform them that they have that right.
And you know how sometimes you want to unsubscribe from something, and you can’t figure out how? Under the GDPR, you must make withdrawing consent as easy as giving consent.
3. Prepare data breach notification processes
Under the GDPR, companies must notify individuals without delay that there has been a breach of their personal data. When possible, you must deliver this notification within 72 hours of becoming aware of the breach, unless it is unlikely to impact the rights and freedoms of individuals. Data processing companies also have the onus of reporting breaches to the company that collected and controls the data they process.
4. Support the right to be forgotten
If personal information is compromised, an individual has the right to have his or her personal data rectified and a “right to be forgotten” where the retention of the data does not comply with the regulation or with applicable union or member state law. This right is particularly relevant when the data subject gave consent as a child, and later wants to remove such personal data especially on the Internet.
5. Retain Privacy data properly throughout the lifecycle
The further retention of the data should be lawful where it is necessary. Necessary? Yes, necessary for exercising the right of freedom of expression and information, for complying with a legal obligation, for a task carried out in the public interest, for public health, for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes or for the establishment, exercise or defense of legal claims.
6. Match privacy procedures to your privacy policy
Privacy procedures must include privacy by design, and development and deployment concepts, including but not limited to:
- Awareness and training for data privacy
- Data mapping, flow and access control
- Privacy data protection mechanisms requirements
- PIA/DPIA mechanisms, frequency, retention and governance effectiveness
- Data Storage and processing locality