After the GDPR (General Data Protection Regulation) came into force in May 2018, all organisations with a public-facing website took action to ensure their website complied with the GDPR by distributing a privacy notice/policy on their website. Articles 12, 13 and 14 of the GDPR (as well as others) include rules on giving private information to data subjects.
The CCPA requires business privacy policies to include information on consumers’ privacy rights and how to exercise them: the Right to Know, the Right to Delete, the Right to Opt-Out of Sale and the Right to Non-Discrimination.
So, what is a privacy notice/policy?
A privacy notice/ policy is a document that organisations give to individuals to explain how their personal data is processed, it should outline how the company manages their data. It has two aims: to promote transparency and to give individuals more control over the way their data is collected and used.
Transparency is a key principle of the GDPR, as it prevents organisations from processing personal data without data subjects’ knowledge or approval.
Privacy policies are in place but are you complying with your own statement?
The feared wave of fines did not materialize in 2018, however we are now three years in, and fines are being imposed. The residential property company, Deutsche Wohnen, was fined the largest amount ever in Germany for a data protection violation: 14.5 million euros. The reason for this enormous sum was the archiving system used throughout the company, which did not provide any possibility for the deletion of data that the company no longer required.
Consider the following questions.
- How does your company ensure they are not keeping personal data for longer than its needed?
- How do you review the data you hold and erase it when you no longer need it?
- How are your retention periods managed?
If you are unsure how to answer any of the above questions, then you are at risk at not complying to GDPR and are putting your organisation at risk.
The Compliance Challenge checklist- are you complying with the following?-
The GDPR alongside other Government, federal, state and industry regulations require organisations to retain digital communication data for potential review and retrieval.
☐ We know what personal data we hold and why we need it.
☐ We carefully consider and can justify how long we keep personal data.
☐ We have a policy with standard retention periods where possible, in line with documentation obligations.
☐ We clearly identify any personal data that we need to keep for public interest archiving, scientific or historical research, or statistical purposes.
Storage Limitation– Deletion
Are you disposing of data in the correct required period? Without a proper compliance strategy and archiving software, organisations tend to hold onto email and file data way beyond the periods mandated by retention requirements.
☐ We regularly review our information and erase or anonymise personal data when we no longer need it.
☐ We have appropriate processes in place to comply with individuals’ requests for erasure under ‘the right to be forgotten.
Data minimisation requires businesses to process only ‘adequate, relevant and limited’ personal data that is ‘necessary’ which means the businesses need a solution that has the ability to meet the demands of the GDPR.
☐ We only collect personal data we need for our specified purposes.
☐ We have sufficient personal data to properly fulfil those purposes.
☐ We periodically review the data we hold and delete anything we do not need.
If you are unable to tick all the boxes above, you are potentially exposing your organisation to the risk of non-compliance with GDPR and many other data protection legislation.
The cost of compliance goes well beyond the regulatory fines that we see in the news, it can also include, reputation damage, recovery plan implementation, eDiscovery costs, costs of diagnosing the source or loss of a breach and notification costs.