10 tips for data controllers - how to apply the GDPR
10 tips for data controllers - how to apply the GDPR - experience from the first half of the year
After complaints, questions and incoming signals analysis, the Personal Data Protection Office prepared 10 tips for data controllers in order to help them to apply the GDPR rules on a daily basis.
1. Establish the proper basis for collecting and using personal data
Remember that the consent is not the only basis for processing personal data. If you are entitled by law or when the collected data is necessary to conclude a contract, do not obtain the consent when collecting and using personal data. Such action misleads your customers, because in such cases consents can not be withdrawn by them.
2. Comply with the information obligation in accordance with the new rules
Remember that GDPR has introduced significant changes to fulfil the so-called information obligation. Now you have to provide data subjects with more information. If you have appointed a Data Protection Officer (DPO), you must provide his or her contact details. It is also your responsibility to indicate the period during which you will store data. Also, you have to provide more information about data subjects’ rights – among others the possibility to withdraw consent and the right to file a complaint to the President of the Personal Data Protection Office. Remember, when you collect someone's data from third parties or from publicly available sources or when you buy them, you become their controller and you also must fulfill the information obligation. Even when you collect just a phone number or an email address.
3. Communicate in a transparent way
Remember that the principle of transparency introduced by the GDPR should be applied at all stages of communication with the person whose data is being processed. It determines that all information and any messages related to the processing of personal data have to be concise, transparent, easy to understand and formulated in clear and simple language. The point is that these messages should not be written by lawyers for lawyers - as has often been practiced so far. They should also be easily accessible. Therefore, properly organize the communication process with the people whose data you process and make sure that the messages and information addressed to them are properly formulated. When justified, use the option of layered information - first provide basic information and inform where the reader can find more information.
4. Always respect the rights of people
Remember about the rights of people whose data you are processing. Take care of this also when an external entity with whom you sign a contract to commission the processing of your clients' personal data acts on your behalf. For example, if this entity carries out marketing activities for you, make sure that it will inform you about the objections raised or requests for rectification. It is worth to include the relevant provisions in this matter in the contract that you sign with this entity. Your customers will definitely appreciate it.
5. Remember that consent can be withdrawn at any time
The GDPR directly indicates that the person whose data you are processing on the basis of his/her consent may be withdrawn at any time and this should not give rise to any negative consequences for this person (e.g. increasing the service fee). You must inform the data subject about this right. Make sure that withdrawal of consent is as easy as the process of giving the consent.
6. Data breaches should be reported to the President of the Personal Data Protection Office and when necessary, to the persons whose data have been violated
In case of personal data breach (e.g. leakage, loss or accidental access by an unauthorized person) as a controller you must notify the President of the Personal Data Protection Office, if it is possible without any undue delay, no later than within 72 hours after finding the breach. Make an exception when the incident is unlikely to result in the risk of violating the rights or freedoms of natural persons. When the risk of violating these rights and freedoms is high, you must also notify the persons whose data have been violated. Provide them with guidance on how to proceed further in order to help them to take action to prevent or limit the negative consequences of the violation, such as the risk of identity theft.
7. Do not create unnecessary documentation
The accountability principle obliges you to put in place internal procedures to ensure compliance with GDPR and help you to demonstrate that you are properly processing personal data. Remember that in order to prove different activities, such as obtaining consent, you do not always have to collect documentation in paper and collect the signatures of people who gave it to you. The consent can also be recorded or saved in an IT system. Additionally, the procedures which are confirmed by employees' statements, which you accept and implement, may constitute sufficient evidence.
8. You have the right to profile, but remember about limitations
The GDPR does not prohibit profiling. However, you should remember that if you profile, you must inform the data subject about it and indicate the consequences of such action. Additionally, when you make automated decisions on the basis of profiling (without human intervention) that have legal effects or have a significant impact on the person, you have to obtain his or her consent, unless this action legalizes the necessity to conclude or perform the contract or the fact that it is permitted by EU or Member State law.
9. Invest in a professional DPO
Even if you do not have this obligation, consider designating a Data Protection Officer (DPO). As a professional, DPO will support you in organizing the processing of personal data properly as well as in protecting against customer claims or sanctions imposed by the supervisory authority. If you have already done so, make sure that DPO contact details are easily accessible.
10. Watch out for cheaters
Frightening people with high penalties or calling for payment is a popular method of fraudsters' actions, who want to earn money easily from the GDPR! Be careful and do not be fooled! Read carefully incoming correspondence. Check who has sent it and what does it concern. If it was to come from the Personal Data Protection Office, verify whether it contains the required elements, e.g.: the proper name of the office, correct addresses, authentic signatures and whether the official seal is original. Ask the inspector to show the authorization for inspection as well as the official ID. If you want to use the support of companies operating on the market, check their credibility and experience. Choose the trainings and courses on personal data protection with care.