Have you determined that GDPR does not apply to your business?
Congrats, if you have. But remember that you must follow privacy or data protection requirements in non-EU jurisdictions as privacy laws and regulations have and are being amended with very similar rules as EU’s General Data Protection Regulation (GDPR). Preparing ahead will protect your business from liabilities and stiff regulatory penalties.
As a general privacy or data protection practice, consider the following rules if your business uses or stores personal information.
Personal information would include for example, employee, customers or clients, members, and users or account holders personal information. Privacy or data protection rules apply when you’re collecting and handling personal information such as,
- transactional information from customers
- job candidates’ personal information
- employee records
- personal information used for marketing products or services
- video (CCTV) and other employee-monitoring or surveillance
- giving customers’ personal information to a third-party company to complete a purchase or order
- sending direct marketing to individuals that you provide an unsubscribed link and make it easy for individuals to exercise their right to opt out of direct marketing
Here’s what you must tell people you collect personal information from:
- Tell them who you are
- Tell them the business reason behind you collecting their personal information
- Tell them how you’ll use their personal information
- Tell them if you’re sharing this information with other organizations
- Tell them about their rights and choices:
- that they have the right to see any information you hold about them
- that they can correct it if it’s wrong or incomplete
- that they can request their personal data be deleted
- that they can request their data is not used for certain purposes
The key principles of privacy or data protection your business must follow are
- Lawfulness, fairness and transparency You must be open about what you’re doing with personal data. It must be legal
- Purpose limitation You must have a specific, explicit, and legitimate purpose
- Data minimization You must limit personal data collected to that which are relevant to the specified purpose
- Accuracy You must keep personal data up to date and corrections must be made without delay.
- Storage limitation You must not store personal information longer than is necessary for the purposes for which the personal information is processed
- Integrity and confidentiality (security) You must make sure personal information is kept safe from unauthorized disclosure and alteration.
- Accountability You must demonstrate you’re compliant with privacy and data protection principles and requirements in related jurisdictions.
What if enforcement authorities show up?
If a privacy or data protection enforcement authority comes knocking or making inquiries about your personal information processing activities,
- Be ready to show and tell the data protection authorities how your business collects and uses personal information
What if you receive complaints or requests from individuals whose personal information you process?
- Be ready to respond to individuals who wants to view what information you have about them or wants to exercise their rights
- What if you don’t know what to do?
- Get advice from a privacy/data protection expert.
Photo courtesy: Adeola Eletu, RawPixel, Mike Petrucci, and William Stitt
- January 2019 (1)
- December 2018 (1)
- November 2018 (1)
- October 2018 (1)
- September 2018 (1)
- August 2018 (1)
- July 2018 (1)
- June 2018 (1)
- May 2018 (1)
- April 2018 (1)
- March 2018 (1)
- February 2018 (1)
- January 2018 (1)
- June 2017 (1)
- May 2017 (1)
- March 2017 (1)
- February 2017 (1)
- January 2017 (1)
- December 2016 (1)
- November 2016 (1)
- October 2016 (1)
- September 2016 (1)
- August 2016 (1)
- July 2016 (1)
- June 2016 (1)
- May 2016 (1)
- April 2016 (1)
- March 2016 (1)
- February 2016 (1)
- January 2016 (1)
- December 2015 (1)
- November 2015 (1)