The right to privacy and data protection is paramount and organisations are becoming more aware of the rights of individuals, especially since the GDPR. Businesses who store information are now obliged to state exactly how any personal information stored will be used and shared with third parties.
- The nature of the personal data to be collected and stored.
- The purpose of collecting and storing the particular data.
- The likely retention period of the data.
- The number of data controllers and data processors handling the data.
- The type of data.
- The gathering of sensitive personal information.
- The use of the information may be used to find unanticipated, unintended or objectionable data.
- The information may unintentionally be shared with any third-party that users.
- Using clear, transparent and easy to understand language.
- Avoiding ambiguity in written content.
- Adopting a clear strategy for communication between parties.
- Avoiding the use of false or misleading information.
- Maintaining sincerity and transparency.
The GDPR has created a whole range of privacy rights and protections to individuals and consequently any acquired policies are compelled by the regulations to be fully compliant.
Therefore any data collected on a website and deemed personal information, i.e. names, addresses, email addresses contact information, etc. come under the regulations. The GDPR requires companies to be transparent as to what they do with this data, including explanations as to how data is gathered, how it is processed in an honest and trustworthy manner.
- A valid reason and explanation as to the purpose and legal basis of gathering and processing user data including all the legitimate interests of the data controller.
- The actual source of the personal data.
- Details of the users (categories of the data received such as name, email, contact information etc.)
- Any countries to which the data is transmitted to or shared with along with security measures for the transference of the data. Also referred to as “approved transfer mechanisms”.
- Retention period, i.e. the length of time for which the data will be stored and a definition of the criteria as to how and why the information is stored.
- An explanation as to the rights of the data subjects as mentioned in the GDPR (including the right to erasure, right to rectification, right to object etc.).
- Confirmation for the existence of claiming these rights by data subjects, this must be written in a clear language of how and what a data subject can do to claim his/her rights.
- Contact and identification details of the data controllers, (if no data controller is assigned then contact information of the representative should be detailed).
- Clear advise to the data subjects about “right to complain” to the Data Protection Authority.
- Details about the legitimate interest conditions, if any.
- Confirmation about automated decision making, e.g. profiling for example. Also, detail the reason behind such processes, and of what importance and consequence, it may hold.
- Clarity regarding the personal data of the children, how the consent will be taken.
- Explicitly state about the use of third-party website links.
- Confirm the details regarding cookies, if used on your website. How it works and what information is extracted.
- Any other relevant information should be detailed.
✓ What the GDPR says about data protection?
The General Data Protection Regulation (GDPR) has 11 sections and 99 articles, and each article has a specific topic, which businesses need to look at. However, considering the protection of data subjects, the GDPR has specific articles that define the privacy of user’s information, such as:
- Article 12 of the GDPR requires your business to maintain a reliable communication level for the processing of data in a way that is:
- Easy to understand
- Concise and of clear language
- Easily accessible
- Free of charge
- Most legal policies include technical and legal language, which makes it difficult to read for the non-technical audience/readers. The GDPR aims to avoid this.
- Article 5 describes the specific principles that should be kept in mind while processing personal data of the users. It requires the companies to process data lawfully and fairly, should be adequate and relevant about the purpose with which it is collected.
- Article 7 describes the conditions of consent, which a business should consider while taking consent from the users about data gathering and processing, along with the sharing of data with other third parties.
- Article 24 briefly describes the responsibility of a data controller, where the data controller must explain the purposes of processing and evaluate the risks involved as per their intensity.
✓ What to do now?
GDPR compliance in your policy’s and other processes can save your business from hefty fines and penalties. To implement the necessary changes to comply with the GDPR, most businesses will need to have expert guidance, advanced technology and employee training.