Navigating GDPR
5 Common mistakes in a Privacy policy
EU Rep boasts a series of trusted partners that are often called in to help businesses review or establish good GDPR practice. Businesses of all sizes are trying to navigate this complex area and despite the GDPR having been in place now for over 10 months, from small start-ups to prospering SME’s there are still plenty of businesses that are struggling to comply.
So what are some of the common mistakes around a privacy policy? The following 5 areas are a good place for businesses to start:
- The policy scope. A simple one to start with, and also most common – the policy should not only refer to the data processed on the website site but to all the services provided to the customers and the processing required for them.
- Disclosure of personal data. Everyone swears they do not share the data with unauthorized entities and obviously they do not sell them. What they “forget” to mention is exactly what data is disclosed and to whom. The biggest problem is that often they do not even know or realise themselves that using third-party platforms, tools or services means disclosing personal data (for example Internet providers, hosting services, social media platforms, payment services online, as well as all entities that have third party cookies on their site, as well as their partners). The rule here is simple – check every touchpoint for the data to build a full picture and if you don’t have that expertise or resource in house, bring in a consultant that does.
- Data transfers outside the EU / EEA and protection measures – must be specified.. Most times, in the case of companies belonging to a group, they do not even mention the countries where the transfer is made within the groups … for example, if the IT services at group level are in India or Turkey ie outside of the EEA, this is often not mentioned, although there is a transfer of almost all personal data within the group through its IT services. One solution is applying BCRs (binding corporate rules), which form a legally binding internal code of conduct operating within a multinational group, which applies to transfers of personal data from the group’s EEA entities to the group’s non-EEA entities. BCRs are legally binding data protection rules with enforceable data subject rights contained in them, which are approved by the competent Data Protection Authority. Another solution is intra group model clause agreements.
- Consent – This is often where companies I help think they have a bullet-proof solution but have actually failed to think about the entire set of requirements that GDPR demands. It Is not enough to say “We have requested the customer’s agreement and have proof that he/she has agreed.” For consent to be valid it must be explicit, informed and freely given. Is consent buried in a large document referring generally to a multiplicity of types of processing valid? It is a requirement to be transparent (i.e. to clearly and precisely tell the individual how their data is going to be processed with the customer or other targeted individual). To do otherwise is a violation of the GDPR principles.
- Security or integrity and confidentiality of personal data – taking “appropriate” technical or organisational measures. Those appropriate measures should at the very least make sure that the website has an SSL certificate, as organisations invariably send sensitive personal information on insecure channels otherwise. Another appropriate measure that is often under deployed, is encryption.