If you want to avoid the attention of the regulators you need to do two things. The first thing is make sure that you don’t lose any personal data, destroy any personal data or allow anyone to steal it. The second thing is that you need to make sure that nobody complains.
The GDPR gives individuals enhanced rights. What this means is that individuals have more right to contact you and ask for something in relation to their personal data. If you don’t give them what they are entitled to within the right period of time they are likely to complain. They also have rights to sue you.
How you make sure customers don’t complain
Be completely transparent about how you process personal data (see our blog post on how you do this). Have clear privacy notices. Build your products and services with privacy in mind. If you think that a customer may be surprised by what you are doing with their data, explain it to them. Don’t do something with personal data that is outside the scope of what you have already explained to your customers.
If what you are doing feels intrusive, it probably is. Think of ways that you can use less personal data or no personal data to provide your goods and services. Use anonymisation and pseudonymisation.
Be honest with your customers. They are smart. They will give you more rights to use their personal data if they understand why you need to use it and especially if it is to provide them with better goods or services.
How you make sure that employee personal data is not used against you
Those advising disgruntled employees, or ‘bad leavers’ often use requests under the GDPR (“subject access requests”) as part of litigation tactics. The idea is that if the advisor puts you to inconvenience and expense in responding to a subject access request, you may decide to just pay the employee off rather than comply with the request. This is especially the case if the employee knows that as an organisation you are not set up to respond to such requests.
Have a clear privacy notice referred to in employees’ employment documentation. Make sure that they read it and understand it. Have a clear written process of how you respond to such requests. Make sure that your HR department understand that process and are able to implement it.
Obviously, if all your employees are happy, then such litigation tactics are unlikely, so the most important thing is keeping your workforce motivated and supported.
How you make sure you spot a subject access request
Make sure that your staff are trained in GDPR compliance. There is no set format for subject access requests and they don’t even have to be in writing. Make sure that staff watch out for communications which refer to “personal data”, “data”, “user data”, “employee data”, “personal information”, “PII”.
Likewise, watch out for phrases like “marketing communications” and “direct marketing” which are often used in subject access requests.
Watch out for references to legislation or initials for such legislation such as “Data Protection Act”, “DPA”, “General Data Protection Regulation”, “GDPR” or “PECR”.
How you make sure you get this right
You need to train your staff. You need a structure. You need a process. You need templates. On a practical level, you need to respond on time!
All you need is contained within The Privacy Compliance Hub which is an easy to use platform containing a comprehensive data protection compliance programme which enables you to own your compliance. Feel free to get in touch if you would like to find out more.
This article is part of an eight part series. Feel free to check out the others:
GDPR : Are you sure you’re fine?
- Are you sure your staff know why the GDPR is important to the success of your organisation?
- Are you sure you know what you do with people’s data?
- Are you sure you tell people what you do with their data?
- Are you sure you trust organisations that you are sharing data with?
- Are you sure that nobody will complain?
- Are you sure you’re secure?
- Are you sure you know which countries keep data safe?
- Are you sure you build products and services with privacy in mind?