Accountability is a common principle for organisations across many disciplines; the principle embodies that organisations live up to expectations for instance in the delivery of their products and their behaviour towards those they interact with. The General Data Protection Regulation integrates accountability as a principle which requires that organisations put in place appropriate technical and organisational measures and be able to demonstrate what they did and its effectiveness when requested.
Organisations, and not Data Protection Authorities, must demonstrate that they are compliant with the law. Such measures include:
- adequate documentation on what personal data is processed,
- how, to what purpose, and how long data will be processed for;
- documented processes and procedures aiming at tackling data protection issues at an early state when building information systems or responding to a data breach;
- the presence of a Data Protection Officer (if required) who is integrated in the organisation planning and operations etc.
The GDPR places direct data processing obligations on businesses and organisations at an EU-wide level. According to the GDPR, an organisation can only process personal data under certain conditions. For instance, the processing should be fair and transparent, for a specified and legitimate purpose and limited to the data necessary to fulfil this purpose. It must also be based on one of the following legal grounds.
- The consent of the individual concerned.
- A contractual obligation between you and the individual.
- To satisfy a legal obligation.
- To protect the vital interests of the individual.
- To carry out a task that is in the public interest.
- For your company’s legitimate interests, but only after having checked that the fundamental rights and freedoms of the individual whose data you are processing are not seriously impacted. If the person’s rights override your interests, then you cannot process the data.
The key steps you need to take to ensure compliance with data protection legislation :
- Identify what personal data you hold (this can be achieved by setting out the information listed in Article 30 of the GDPR or for smaller companies a tailored process such as the filling in a template that we can give you to help you start.
- Conduct a risk assessment of the personal data you hold and your data processing activities (Article 24, Recital 75 and section titled “Risk based approach to being GDPR compliant”).
- Implement appropriate technical and organisational measures to ensure data (on digital and paper files) is stored securely. The security measures your business should put in place will depend on the type of personal data you hold and the risk to your customers and employees should your security measures be compromised (Article 32).
- Know the legal basis you rely on (consent? contract? legitimate interest? legal obligation?) to justify your processing of personal data (Articles 6 to 8).
- Ensure that you are only collecting the minimum amount of personal data necessary to conduct your business, that the data is accurate and kept no longer than is needed for the purpose for which it was collected (Article 5).
- Be transparent with your customers about the reasons for collecting their personal data, the specific uses it will be put to, and how long you need to keep their data on file (e.g. privacy notices on your website or signs at points of sale) (Articles 12, 13 and 14).]
- Establish whether or not the personal data you process falls under the category of special categories (sensitive) of personal data and, if it does, know what additional precautions you need to take (Article 9).
- Decide whether you will need to retain the services of a Data Protection Officer (DPO) (Article 37).
We understand that data protection is essential to an organisation’s reputation and the help we can give is designed to support you in conducting your business in a transparent and compliant manner.
We know the power of a well drafted privacy policies and we also know the potential damage a poorly crafted statement can have on a business.
Privacy policies serve multiple purposes. They help you meet your regulatory requirement to inform people about what you are doing with their personal data. They build trust with your potential customers so that they will be willing to share their personal data with your business.
They are also a shopfront onto your business and they give you vital clues about how seriously your business takes data protection.
We can help at Chalmin Data Privacy www.chalmindataprivacy.ie
Contact Gail on 0872329569