Good GDPR Practice

Business Legal is often called in to help businesses review or establish good GDPR practice, David Fagan and I help businesses of all sizes navigate this complex area and despite the GDPR now being live, from small start-ups to prospering SMEs there are still plenty of businesses that are struggling to comply.

So as we approach the anniversary of its introduction, I thought I would share some of the common mistakes we see around a  privacy policy. Whilst I could easily have made the list significantly longer, I wanted to make sure the article didn’t run to multiple pages, and also make it a manageable start-point for businesses looking to comply with this important legislation.

  1. The policy scope.  A simple one to start with, and also most common – the policy should not only refer to the data processed on the website site but to all the services provided to the customers and the processing required for them.
  2. Disclosure of personal data. Everyone swears they do not share the data with unauthorized entities and obviously they do not sell them. What they “forget” to mention is exactly what data is disclosed and to whom. The biggest problem is that often they do not even know or realise themselves that using third-party platforms, tools or services means disclosing personal data (for example Internet providers, hosting services, social media platforms, payment services online, as well as all entities that have third party cookies on their site, as well as their non-cloud-based partners). The rule here is simple – check every touchpoint for the data to build a full picture and if you don’t have that expertise or resource in house, bring in a consultant that does.
  3. Data transfers outside the EU / EEA and protection measures – must be specified. Most times, in the case of companies belonging to a group, they do not even mention the countries where the transfer is made to within the group, for example, if the IT services at group level are in India or Turkey i.e. outside of the EEA, this is often not mentioned, although there is a transfer of almost all personal data within the group through its IT services. One solution is applying BCRs (binding corporate rules), which form a legally binding internal code of conduct operating within a multinational group, which applies to transfers of personal data from the group’s EEA entities to the group’s non-EEA entities. BCRs are legally binding data protection rules with enforceable data subject rights contained in them, which are approved by the competent Data Protection Authority.  Another solution is intra group model clause agreements.
  4. Consent – This is often where companies we help think they have a bullet-proof solution but have actually failed to think about the entire set of requirements that GDPR demands. It is not enough to say “We have requested the customer’s agreement and have proof that he/she has agreed”. For consent to be valid it must be explicit, informed and freely given. Is consent buried in a large document referring generally to a multiplicity of types of processing? It is a requirement to be transparent (i.e. to clearly and precisely tell the individual how his data is going to be processed). To do otherwise is a violation of the GDPR principles.
  5. Security or integrity and confidentiality of personal data –  taking “appropriate” technical or organisational measures. Those appropriate measures should at the very least make sure that the website has an SSL certificate, as organisations invariably send sensitive personal information on insecure channels otherwise. Another appropriate measure that is often under-deployed, is encryption.

Whilst this is not an exhaustive list, it is a useful prompt to review some of the biggest pitfalls that we at EU Rep regularly come across.