The GDPR requires companies to know the nature of what data they are collecting and why and how they process it. The companies must also have methods to handle requests by consumers for their personal data in a form which is accepted by the majority of people.
People have eight basic rights that should be taken into consideration when developing policies and procedures to run your business.
PIA
Apart from defining clearly defined goals and seeking an explicit agreement, GDPR obliges companies to perform privacy impact assessments (PIA). PIAs are a standard process that help you achieve "privacy by definition." The GDPR's new rules ensure that PIAs mandatory when implementing any type of data processing that could cause a significant chance of compromising individuals' rights and liberties. The GDPR permits profile-based decision making, auto-decision making which is legally permissible or substantial and large-scale processing of data, continuous monitoring of a large area of public spaces as well as matching and combination of data sets pertaining to personal information, and also the processing of sensitive data such as documents from medical or political opinion.
In addition, the GDPR stipulates that all companies create a data inventory. It is also required to consider any effect that new systems or technologies could have on the information concerning individuals. These must be documented and communicated to those who are data subjects. The GDPR calls for a privacy policy that is well written and easy to understand. A pop-up window should be placed on your website, and should provide specifics about the information you keep about your visitors, the way they use it and the person who has access to it.
The GDPR is adamant about imposing severe fines for violators, with the most egregious infringements potentially resulting with a fine that is higher than 20 million euros or four percent of your total annual income. Given the complexity of complying with the GDPR, it's vital to develop and implement correct procedures for the detection any privacy breaches.
Consent
This process ensures that consent is obtained from the individual in a way that is legally and reasonable. It includes a switch between an opt-out and opt-in method, which makes it mandatory for companies to seek permission prior to taking or processing data from their customers' personal information. Also, it requires a simple and succinct privacy statement that explains what information you'll collect from the information of your customers as well as why.
Although many believe they need consent to the processing of all personal data, it's not the case. It's just one of six legitimate bases mentioned under the GDPR. Other grounds include contract and legal obligations, the vital interest of the data subject and public interests. It is essential that consent be given explicitly and freely in writing, and isn't implied or assumed. You can't rely on cookie walls, or any other implicit consent techniques (such such as scrolling, or continuing to browse). Your consent should be clear and unambiguous. This means that a pre-ticked checkbox is not permitted!
Anyone can unsubscribe at any time, so your procedure to withdraw consent should be documented and readily accessible. A consent management system (CMP) like Cookiebot can help you create Cookie banners that meet GDPR standards as well as privacy policies and preferences that allow users control over what they're agreeing to. Cookiesbot can also test your site to determine if it's GDPR-compliant, creating a compliance statement at just a click.
Privacy Statements
Privacy notices are an internal document that explains to customers, customers, site visitors, and even authorities on what your organization does with personal data. It needs to clearly outline what information you collect, the reason you gather it, and the way you will use it. Additionally, you must provide details of any third parties you may be sharing data with.
The intention behind the privacy note is to allow individuals the ability to control the information they have about themselves and enable organizations to establish trust. Privacy notices must be included on your correspondence and websites. The privacy notices need to be simple to read and without unnecessary jargon. Web forms must clearly state the purpose of collecting data as well as give the user the opportunity to decline. Consent boxes that are pre-filled with ticks aren't allowed.
Privacy announcements should be reviewed periodically to reflect any modifications regarding the manner in which your business treats PII. The company must inform its stakeholders of any changes you make to your policies including when you add new services or a retention policy is made more stringent.
The GDPR imposes the same liability on both the data controller (the company that manages the data) and the data processors (outside businesses that manage the data). Contracts with processors of data must contain clauses that ensure the compliance. You must also define processes that will be consistent and report and protect any breaches. Furthermore, employees that handle personal data are required to undergo basic and refresher classes to make sure they are in compliance with regulations.
Data Retention
The procedure for determining the amount of time that the data you store on your data is known as data retention. There are often multiple laws and regulations that you are obliged to comply with. In the case of your company, for instance, you might have a legal requirement to maintain certain documents in order to satisfy audit or tax requirements, and you might also require the retention of data for specific regulations (such as product warranty duration).
In order to be in compliance with the GDPR, it is necessary to preserve your personal data for in as little time as it is feasible. It is done to reduce the possibility of unauthorized access to your data, or theft, or any other form of compromise. The more data an organization is able to store, the harder it is to keep secure and also the higher the chance of being exposed.
To make sure you don't store unnecessary information, create a data flow map for determining what kinds of information you collect and why. You can then develop the storage policies for each data type.
Make sure to regularly delete all data which is no longer required out of your system. You'll save money on storage as well as make your search faster if you must locate data in GDPR compliance services response to requests for access, or other reasons that are legal.