Data Protection - Are You compliant?

I recently decided to up date my understanding of data protection both in the digital and offline worlds with Data expert, Gail Chalmin.

Below are some common mistakes Gail has come across. She mentioned others but for the sake of this article I’ve limited the number to make it a manageable starting point.

1.          The policy scope; A simple one to start with, and the most common - the policy should not only refer to the data processed on the website site but to all the services provided to the customers and the processing required for them.

2.          Disclosure of personal data; Everyone swears they do not share data with unauthorised entities and obviously they do not sell them. What they "forget" to mention is exactly what data is disclosed and to whom. The biggest problem is often they do not even know or realise themselves that using third-party platforms, tools or services means disclosing personal data (for example Internet providers, hosting services, social media platforms, payment services online, as well as all entities that have third party cookies on their site, as well as their partners). The rule here is simple – check every touchpoint for the data to build a full picture and if you don’t have that expertise or resource in house, bring in a consultant that does.

3.          Data transfers outside the EU / EEA and protection measures - must be specified. Most times, in the case of companies belonging to a group, they do not even mention the countries where the transfer is made within the group, for example, if the IT services at group level are in India or Turkey i.e. outside of the EEA, this is often not mentioned, although there is a transfer of almost all personal data within the group through its IT services. One solution is applying BCRs (binding corporate rules), which form a legally binding internal code of conduct operating within a multinational group, which applies to transfers of personal data from the group's EEA entities to the group’s non-EEA entities. BCRs are legally binding data protection rules with enforceable data subject rights contained in them, which are approved by the competent Data Protection Authority. Another solution is intra group model clause agreements.

4.          Consent – This is often where companies think they have a bullet-proof solution but have actually failed to think about the entire set of requirements that GDPR demands. It is not enough to say "We have requested the customer's agreement and have proof that he/she has agreed." For consent to be valid it must be explicit, informed and freely given. Is consent buried in a large document referring generally to a multiplicity of types of processing valid.? It is a requirement to be transparent (i.e. to clearly and precisely tell the individual how his data is going to be processed) to do otherwise is a violation of the GDPR principles.

5 Security or integrity and confidentiality of personal data–taking "appropriate" technical or organisational measures. Those appropriate measures should at the very least make sure that the website has an SSL certificate, as the organisations invariably send sensitive personal information on insecure channels otherwise. Another appropriate measure that is often under-deployed, is encryption.

This is not an exhaustive list, it is a useful prompt to review some of the biggest pitfalls that Chalmin data www.chalmindataprivacy.ie regularly come across; And whilst Brexit still lacks clarity, what is absolutely clear from recent high profile cases across the EU, is the compliance requirements for GDPR are crystal clear.