It is important for all company to comply with GDPR data protection especially if you are based in Europe. You need to make sure that all of the principles and obligation are fulfilled in order to protect the customer’s data and avoid penalty.
What is GDPR Data Protection?
GDPR data protection is a set of rules which created to protect the freedom and rights of individuals in regard to protecting their personal data. You will find various rules that all company must follow when processing different types of personal data especially for EU citizens in GDPR.
It is important to note that it is important for you to comply with GDPR not only to avoid penalty but also to maintain your reputation. Especially since these days more and more customers have become knowledgeable regarding personal data protection and how valuable it is.
Tips to Plan the Best Practice That Can Comply With GDPR
It is important for your company to plan the method that you can use to comply with GDPR. There are a few best practices that you can follow but it is also important for you to plan the method yourself. Here are a few things that you can do to plan the best practice that you can use to comply with GDPR.
- Understanding data protection and know how to define it
Before planning the best practices, it is important for you to first understand the key definition used inside GDPR data protection as you will need them to define the company’s policy later on. Some of the most important definition are:
- Processing
It is defined as operation set which done on personal data which include disseminating, storing, organizing and collecting of personal data.
- Personal data
It is defined as all information which related to identifiable or identified natural person. Then the natural person itself is defined as individual who identified by informational reference whether online or personal identification.
- Data Processor
It is defined as entity which process the personal data on data controller behalf.
- Data controller
It is defined as entity which determine the means and purpose of personal data processing. The data controller is allowed to make the determination jointly with other or alone.
- Pseudonymization
It is defined as personal data processing using method so that the data is no longer attacked to specific subject if it does not have additional identifiers. Then, the additional identifiers used should also be stored separately using the right technical and organizational method to make sure that they are secured.
Besides those definition, there are even more detailed which further define each entity used on GDPR data protection that you should understand.
- Understanding the company’s processing ground
Most company will use “legitimate business interest” as their ground which also presented inside GDPR. So, you need to make sure that you execute it properly. Especially since GDPR keeps updating the obligation with something new.
- Understand the company’s activities that considered high risk
GDPR stated that activities used for data processing should be risk-based. Thus, you need to follow the obligation to do assessment on the activities your company do to know the risk level and impact on the data privacy. This means you need to do risk assessment on all activities to be able to identify those that are considered as high risk.
- Understand when to inform when breach happened
If your company process data in EU area then breach happen, you have legal obligation to inform local authority that responsible for data protection. But you do not need to report all breaches. Furthermore, the required time frame itself is actually difficult to be achieved. Thus, you need to have the right management procedure for breach that help you comply with this obligation.
- Understand the customer’s data rights
The customer’s current data rights in GDPR data protection will remind and most likely will be expanded in the future. That is why, you need to provide detailed and correct fair processing info and customer’s access request to manage their rights.
- Understand the company’s profiling
The customers have right to not be subjected on decision which created based on automated profiling. Thus, you need to inform the customer when profiling occur and review the decision if the customer request it.
- Understand data transfer internationally
GDPR have BCRs rules that regulate data transfer which done internationally. Your company can use this option to make sure that data transfer can be done under the right security level as requested by GDPR.
GDPR Best Practice That Your Company Should Do
In order to comply with GDPR data protection your company need to do several things. The complete rules have been described by GDPR. Here are some of the best practice that you can do to comply with GDPR.
- Keep updating the company’s privacy policy
You need to keep revising the company’s privacy policy every period to make sure that everything stated inside is valid. You also need to make sure that consent actually requested when collecting any data from the user. Furthermore, the privacy policy should also state clearly about the data collection purpose.
- Training the company’s staff
Even though the company already apply various technologies to protect the customer’s data but you should also know that your staff also have very important role in data protection.
That is why, you need to make sure that all staff are knowledgeable about GDPR especially for new employee. You need to teach them about the company’s policies regarding data security, the user’s right as well as the importance of data protection.
To achieve it, you need to do staff training periodically and teach them about GDPR. They need to know the procedures that your company do in order to protect the customer’s data. They also need to learn how to respond when users request anything related to their data.
- GDPR data protection by exercising the company’s plan for data breach
If there is something that all company does not want, it is data breach. But it is also important for all company to be ready and have set of plans for when it does occur. That is why, it is also important for you to train your staff and make sure that they know the plan for when data breach happened.
You should also do periodic evaluation on their knowledge regarding the plan. Make sure that all staff know how to find report form for data breach event. They should also have the right knowledge so they can fill the form. You should also tell them who is the person that need to be informed when the event happens and who will be responsible on user’s communication when the event happens.
- Update the company’s data inventory
It is important for you to be able to explain to customers how their personal data are used, collect and edit. You should also be able to respond on their request about the portability and the removal of their personal data.
So, to make sure that you can do all of that, it is important to maintain the company’s data inventory. You also need to remember the personal data that are stored using backup as those data should also be removed when customers request for it.
- Update the company’s security infrastructure
Each day, there are new security threats which means there are also new security safeguard to mitigate it. So, it is important for you to make sure that all of the security infrastructure is keep being updated.
You need to follow best practice on the industry by maintaining the authentication technology and encryption algorithm used by your company. One way that you can do is to use host platform which already comply with GDPR. That way, you do not need to update the infrastructure when new technology comes out as the host is the one that will maintain it.
- Making sure to use GDPR compliant vendors
If you use a vendor to process personal data for your company then you need to check their policy regarding data protection and making sure that they actually follow it.
You should sign DPA with every data processor. You should also have a list of vendors that the company use and make sure that it is accessible by public.
- Keep protecting private data during transfer
When EU citizen private data are transferred to area outside EU then you still need to keep protecting the data in the same level as used in EU GDPR data protection. You can check the country that can provide the same protection level from European commission.
Remember that the country on the list will be modified periodically. Thus, it is important for you to check the newest country list especially when transferring data outside EU.
Conclusion
As you can see there are a few GDPR data protection best practices that you need to do to make sure that your company follow the comply with the regulation. You might need to further explore the practices so it will be more suitable with your company’s data protection need.