Explicit Customer Consent
It’s now a must to ask customers first before processing or storing their data. The request not only needs to be clear and see but it also must be done so in a straightforward way by using easy to understand language. Silence or inactivity from the side of the customer should not be taken as a yes and companies that use their info must be able to prove that they received approval. Also, your customers now have the right to withdraw consent upon request in a reasonable timeframe.
Get A Data Protection Officer (DPO) If You Can
Hiring someone who specializes in data protection can save you a lot of worries. Your DPO is your point person to ensure GDPR compliance. This is especially important for companies larger than 10 to 15 employees that process personal data on daily basis and in sheer numbers. But what does the DPO role actually do? The role entails:
- Regular and systematic monitoring of data on a large scale
- Processing on a large scale of special categories of data
Conduct A Data Protection Impact Assessment (DPIA)
You’ll definitely need to conduct a data protection impact assessment if your company stores personal data in a permanent storage. This should be done before any project should be carried out and it’s basically an audit within the company that will allow you to measure the effectivity of safeguarding the privacy of the individuals whose data you store. The DPIA aims to achieve these three:
- Compliance with applicable legal, regulatory and policy requirements
- Establish the risks and effects
- Evaluates protections and alternative processes to mitigate privacy risks
Data Breach Policies
There will always be substantial risks when it comes to storing data. And Data Breach policies ensure that your customers’ trusts will be kept intact in case of the worse scenarios – which is data breach. The GDPR requires companies to notify local data protection authorities of any data breach situation within 72 hours of discovery. And yes, this means that every company will need the kind of technology that will allow them to detect and address breaches within a certain timeframe. Note as well that this is one of the stricter GDPR requirements and you may have to overhaul your internal data security policies for this.
Giving Them The Right to Opt-Out
Deleting personal data not only minimizes the amount of data each company has to keep but also gives customers the freedom to choose. So if a certain data is not needed or has been requested to be deleted, then the answer is yes delete it. And as mentioned, customers have every right to request to be taken off email lists and other such lists that a company may have that they store for marketing or other such purposes.