Privacy: Which Personal Data Are You Processing?
Privacy is no longer limited just to our personal lives, but it also expands to digital lives. The data people put out on the internet is sensitive and needs to be adequately protected. With an increasing number of data theft cases, the European Union took a remarkable step in 2016. They incorporated the General Data Protection Regulation (GDPR) act to protect and preserve the privacy and data protection of all European citizens.
GDPR law is based on seven principles that protect every EU citizen’s data privacy. In addition, this law empowers the citizens by giving them more control over their will to share their personal data. Indeed, it is a European law, yet it does not bind just European businesses. According to this law, an individual or organization handling the data of an EU citizen is legally bound to comply with the guidelines of GDPR.
The Impact of GDPR on Businesses
Before talking about how GDPR changed the way businesses operate, let’s first clarify some essential terms:
- Data Controllers: Article 4 of the EU GDPR defines data controllers as an entity, which can be an individual and/or organization, etc.) determining the reasons and ways of processing personal data.
- Data processor: It is an actual entity that processes the data on behalf of the data controller.
- Data Subject: Any living individual whose personal data is collected, stored, and processed by data controllers and processors is a data subject.
- Personal data: Any type of data identifying an individual is personal data.
Under GDPR, data controllers meaning businesses are obliged to disclose data collection of data subjects, declare the purpose for processing their data and several information, e.g., time of retaining personal data.
Today, the data controllers that regularly process personal data must record processing activities to manage compliance with GDPR. Now, complex organizations handle enormous amounts of personal data from multiple data subjects. Therefore, many of them utilize modern tools to help manage GDPR compliance.
QUIZ: Are You Aware of Which Personal Data You Are Processing?
Record of Processing Activity
It is an activity through which the businesses form an inventory of the data processing to keep track of all the activities done to the concerned personal data. Article 30 of GDPR obliges businesses (Data Controllers and Data processors) to maintain the record of processing activities as a tool to be compliant with GDPR.
Typically, the Record of Processing Activity is managed by the Privacy Office, but all the departments should also be involved in the discovery and management of processing activities.
What is a Processing Activity?
A document containing information about data processing made for inventory purposes displaying the history of personal data processing is a Processing activity. To fulfil Article 30 of the GDPR, it must contain a set of information like:
- A description of the categories of data subjects and of the categories of personal data
- The reasons (purposes) behind processing the collected data
- Individuals and/or entities having access to it (including recipients in third countries or international organizations).
- Where possible, the envisaged time limits for erasure of the different categories of data.
Consent is one of the legal bases for data processing defined by GDPR (Article 6 GDPR – Lawfulness of processing).
The Data Controllers must be able to demonstrate to have obtained consent from the data subjects before collecting, processing, and / or storing their data if consent is a legal basis for data processing. At any time, the data subject should be able to withdraw his/her consent.
So, how do organizations get consent?
In order to comply with this regulation, businesses generally use a form (webform or on paper) asking for an explicit consent of the data subject to collect, store and process their personal data for a specific purpose.
Consent must be written in a simple, effective, and comprehensible way for the user is going to accept or not.
The following are some examples of processing activities that require consent for each of the principal business functions,
- Consumer Care
- Consumer Complain management
- Sales Customer Information
- Store visit
- Use of Personal Image for campaigns
- International communication
- Travel Booking
- Marketing campaigns
- Market Research
- Cookies on websites/apps
The discussion about privacy and personal data is incomplete without cookie banners. Cookies are small text files carrying information about user’s activities on the website. They are generally stored in the device that the user has used to access the website. Cookie banners are nothing but small notices that appear on the screen right before a user loads a webpage.
Importance of Cookie Banners:
Asking the user for consent does not conclude the tasks that need to be done to have a GDPR compliant website.
See you next post!