No matter where your business is located, privacy laws such as the EU's General Data Protection Regulation (GDPR), the California Consumer Protection Act, and Canada's Personal Information Protection and Document Act (PIPEDA) are going to affect the long-term success of your business. The recent fines imposed on Google for lack of transparency, the onslaught of Facebook in the media, and the devastating data breaches experienced by Marriott, Target, Home Depot and countless others, have put privacy and data protection on high alert for customers. In fact, according to this Forrester report, consumer trust is at an all time low. The latest Harris IBM poll reveals “75 percent [of potential customers] will not buy a product from a company — no matter how great the products are — if they don’t trust the company to protect their data”.
This means one of the most important things you can do for the long-term success of your business is establish trust with your customers. And one of the best ways to do this is by implementing Privacy by Design and becoming fully GDPR compliant.
This guide will get you started in 7 easy steps, which we've divided into two parts.
Step 1: Document and Track All of Your Data Processing Activities
GDPR has a lot of complications for many industries and departments, but every privacy compliance program requires an accurate data map or data registry. Maintaining an accurate and up-to-date data map will be the basis of your entire privacy program and it will also greatly reduce risks associated with unauthorized personal information handling. This is because organizations (data controller) face questions from data subjects (people) and have obligations to disclose third-party and third-country locations about where their personal data is being processed, how and why it is being used. A successful data mapping exercise will help an organization answer these questions with confidence and will provide customers with the information that they expect concerning their personal data and its usage.
| Action: Initiate data process mapping exercise and keep your data map updated and accurate at all times.
Questions to ask in your data map:
What type of data is collected? Is it sensitive and identifiable personal information?
Why is the data collected?
Who is collecting data?
Is data shared with third parties?
Where (what country) is data being stored and processed in?
When, why, and how is the data being used? Is the data used for the purpose for which it was collected?
How long is data retained?
What is the lawful purpose of data use? Under consent or other lawful purposes?
To get started, the UK ICO provides two basic templates to help you document your processing activities.
Step 2: Do Regular Processing Impact Assessments (PIAs)
Once you know where your data flows and for what purposes, you’re in a much better position to assess potential risks. This is called a Processing Impact Assessment (PIA) and it as required by the GDPR, not just once, but continually. Ideally, you do the impact assessment before starting the actual processing operation to identify if the activities are necessary and/or potentially impact the rights and freedoms of a person. PIAs are also important tools for accountability, as they demonstrate that appropriate measures have been taken to ensure compliance with regulations. Simply put, a PIA is a process for building and demonstrating compliance and you should establish a cadence for doing them in an ongoing manner (every 1 -3 years, for example).
With a PIA you can:
Readily predict potential problems
Begin the process to implement privacy by design. “Proactive, not reactive; preventative not remedial”
Improve your ability to adhere to GDPR requirements
Ensure that your organization is aware of and prepared to handle privacy and data protection obligations
| Action: Develop a PIA assessment and point person who will be responsible for maintaining audits.
Here’s a few samples of a PIA to get you started.
STEP 3 — Update Privacy Notices & Identify Product Changes
Whether you are a data processor or a data controller, GDPR states that consent can be withdrawn at any time; can’t be assumed from inaction, and forced consent will be “invalid.” Consent must be freely given, specific, informed and unambiguous.
It’s always best to get advice from your legal counsel, but the first thing you’ll want to do is maintain records that you have collected valid consent and maintain proof of collected consent. This usually takes the form of an opt-in privacy notice, written in plain and clear language, on any form that collects personal information such as email, name, phone number and address.
There are several different approaches for developing an effective privacy notice, but if your goal is to establish trust, we recommend being as transparent as possible, providing a user-friendly experience and giving users a quick and easy way to access the information they need to make an informed decision.
In addition to updating privacy notices, you will also need to:
Give customers the choice and the ability to revoke consent as easily as they gave it
Respect your customer’s choice and manage data restrictions downstream to third parties
Process data in a way that is consistent with the original intent and the user privacy expectations
| ACTION: Update your privacy policies to include processing activities, intent of data collection and what data you will collect, maintain records of consent and identify product changes required to manage data processing restrictions downstream to third parties.
Step 4 – Streamline Your Subject Access Request Process
Under GDPR, data subjects have 8 fundamental rights. This includes everything from the right to know what data is being processed; to the rectification of inaccurate data; the right to be forgotten; the right to be informed and the right to restrict processing of their data.
As a data controller, you are required to respond to these access requests in 30 days or less, so you’ll want to have a process in place.
A good Subject Access Request (SAR) process will allow subjects to:
withdraw consent at any time, as easily as it was given
easily identify what information has been collected and stored and what processing has been carried out
If you did Step 1 (mapped out all your data processing activities) and have kept this up-to-date, you’re already in a good position to respond to SARs relatively quickly. But the end goal should be to automate and streamline these processes as much as possible and give control back to the data subject (remember, the bigger goal is to establish trust with your clients).
|Action: Develop a response process to streamline SAR fulfillment
Embed SARs into customer and employee-facing services, systems, and mobile apps (both internal and external facing) in order to ensure that your organization can fully administer SARs across third-party vendors (processors);
Train employees on new GDPR requirements and SAR processes
Implement a self-serve approach for SAR fulfillment
What if I am a Data Processor & Not a Data Controller, Do I need an SAR?
In many cases, the initial contact from a subject comes directly to the controller or the data processor. However, the data processor is not responsible for responding to the SAR by default. That said, if you are a third-party vendor (a data processor), you’ll need a coordinated approach with the data controller to handle the request.
This means, at the start of the data collection, data processors should provide clear information notices that will inform the subject of their rights under GDPR and keep an up-to-date data map or data registry that explains the purpose, location, extent, duration of data processing, and confirmation of the data retention. Finally, don’t forget to do PIA’s occasionally to identify potential risks of your data collection procedures.
Keep Going, You're Half Way There!
Start with these four steps to see how far you get, and stay tuned for the second half of this publication for next steps. The key thing you need to do (if you haven't already) is start documenting all your data processing activities. Do that, and you're well on your way to being privacy compliant.
About Feroot Privacy
Feroot is a Privacy Operations Platform that transforms your static data map into a dynamic data registry, so you can automatically manage data across all departments, track consent across third-party vendors centrally and quickly respond to Subject Access Requests.