Two cornerstones of the GDPR are being transparent about how you process personal information, and ensuring everyone within the organisation knows what they are and aren’t allowed to do.
Your staff need to understand that each operation, such as sending out a marketing email, or sharing personal data with a contractor, needs a “legal basis”. That could be consent. But at the time that consent is given and someone’s personal information is collected, you must be clear about what personal information you process, what you do with it, who you share it with, how you protect it, how long you keep it, and what you do with it when you no longer need it. Using that personal information for something else would definitely be considered a breach of the GDPR.
In the third of our short training videos, the Privacy Guy explores a scenario where someone signs up to a new invite-only networking app. One of the conditions of access is the app uploads all of that person’s phone contacts and shares them with everyone else (a la Clubhouse). Now everyone, including that person’s boss, who is also on the app, has phone details of that person’s contacts, which might include ex-partners, friends or close family members.
And how about if a company is arranging a conference with the help of an external organiser, who suggests using a new app that will encourage user engagement. Could there be any potential concerns with data being shared beyond its original use there?
Being transparent isn’t just including a privacy notice on your company website. You need notices to warn users when you are doing something unusual with their personal information. You need notices to tell your employees and prospective job candidates what you do with their personal information. And you need to make clear that you only share personal information with third parties that are taking the same steps as you are to keep it safe.
Find out more next time with our fourth privacy promise – Safe Sharing.
Are you building a culture of continuous privacy compliance?
Take our free GDPR compliance health check and receive an objective, personalised report that outlines what you’re doing well and where there’s room for improvement. It takes just 10 minutes, is easy to understand and requires no preparation.