Countdown to GDPR #5: Data Security and Privacy Policies
To prepare for the upcoming GDPR we’re doing a series of blogs about key regulations and ways to be compliant with them. In Part 1 we discussed the Right to Be Forgotten in Part 2 we spoke about Privacy by Design and by Default , in Part 3 we understood why Designating Data a Protection Officer (DPO) may be the new norm and in Part 4 we detailed the impact GDPR will have on customer communication and experience.
In this blog, I take a look at the impact of GDPR on Data Security and Privacy Policies and what it may mean for your organization.
The Article Explained
Even though they seem to be synonymous, there is a distinction between data protection and data privacy. Data protection has to do with securing data against unauthorized and/or erroneous access. Data privacy is about granting authorized access in a legally compliant manner. Protecting your data doesn’t ensure data privacy and vice versa.
- The controller is responsible for protecting data with adequate and demonstrable measures: Article 32 and Article 24 of the GDPR, Security of processing, states that “the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation”. Some ways include “pseudonymisation and encryption of personal data” and “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and service”. It also states that adequate measures have to be taken to protect data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
- Controllers need to have a GDPR-compliant data protection policy: Article 24 states that “proportionate in relation to processing activities, measures shall include the implementation of appropriate data protection policies by the controller.”
- Data privacy policies hinge on explicit consent to process personal data: Article 9 in particular singles out personal data to not be processed unless “explicit consent” is provided.
How do I Achieve Compliance?
The first step is to re-examine your Data Security and Privacy policies with a GDPR-toothed comb.
Here are some pointers:
- Update/modify your Data Security and Privacy Policies to comply with the GDPR. The policies should be enforceable, concise and easy to understand.
- An additional Data Privacy/Protection Addendum (with standard contractual clauses added) helps customers/users know exactly how you plan to adhere to the regulation and creates a one-stop-shop for documentation.
- Ensure that your policies outline the following:
- Objectives of the policy.
- Measures in place to address the articles of GDPR and/or other Data Protection/Privacy laws.
- Contact details of one/more concerned organizational representative like a Data Protection Officer (DPO). If the data will be processed by third-parties, their contact information is also required.
- Scope of the policy as far as the people and data it applies to.
- Instructions and guidelines for data access, transfer and processing.
- Possible data risks the policies seek to address.
- Data Breach/Violation response plan.
- An increased level of consent is required for Privacy policies. Consent must be given with an obvious “opt-in” with “a statement or by a clear affirmative action.”
What are your concerns about the GDPR? Tweet me @scarabeetle using #CountdowntoGDPR, or add a comment below.Listen to my discussion on GDPR on The Hot Aisle #73 podcast here where I talk about these issues and more.
Stay tuned for my next blog on Data Processing and Retention.Spanning and GDPR Compliance