GRC

19.04.2022

Privacy: Which Personal Data Are You Processing?

Privacy: Which Personal Data Are You Processing?

Privacy is no longer limited just to our personal lives, but it also expands to digital lives. The data people put out on the internet is sensitive and needs to be adequately protected. With an increasing number of data theft cases, the European Union took a remarkable step in 2016. They incorporated the General Data Protection Regulation (GDPR) act to protect and preserve the privacy and data protection of all European citizens.  

GDPR law is based on seven principles that protect every EU citizen’s data privacy. In addition, this law empowers the citizens by giving them more control over their will to share their personal data. Indeed, it is a European law, yet it does not bind just European businesses. According to this law, an individual or organization handling the data of an EU citizen is legally bound to comply with the guidelines of GDPR.  

The Impact of GDPR on Businesses  
Before talking about how GDPR changed the way businesses operate, let’s first clarify some essential terms:  

Data Controllers: Article 4 of the EU GDPR defines data controllers as an entity, which can be an individual and/or organization, etc.) determining the reasons and ways of processing personal data.  
Data processor: It is an actual entity that processes the data on behalf of the data controller.  
Data Subject: Any living individual whose personal data is collected, stored, and processed by data controllers and processors is a data subject.  
Personal data: Any type of data identifying an individual is personal data. 
GDPR, digital personal data

Under GDPR, data controllers meaning businesses are obliged to disclose data collection of data subjects, declare the purpose for processing their data and several information, e.g., time of retaining personal data.  

Today, the data controllers that regularly process personal data must record processing activities to manage compliance with GDPR. Now, complex organizations handle enormous amounts of personal data from multiple data subjects. Therefore, many of them utilize modern tools to help manage GDPR compliance. 

Record of Processing Activity  
It is an activity through which the businesses form an inventory of the data processing to keep track of all the activities done to the concerned personal data. Article 30 of GDPR obliges businesses (Data Controllers and Data processors) to maintain the record of processing activities as a tool to be compliant with GDPR.  

Typically, the Record of Processing Activity is managed by the Privacy Office, but all the departments should also be involved in the discovery and management of processing activities.  

What is a Processing Activity?  
A document containing information about data processing made for inventory purposes displaying the history of personal data processing is a Processing activity. To fulfil Article 30 of the GDPR, it must contain a set of information like: 

A description of the categories of data subjects and of the categories of personal data 
The reasons (purposes) behind processing the collected data  
Individuals and/or entities having access to it (including recipients in third countries or international organizations). 
Where possible, the envisaged time limits for erasure of the different categories of data. 
Obtaining Consent  
Consent is one of the legal bases for data processing defined by GDPR (Article 6 GDPR – Lawfulness of processing). 

The Data Controllers must be able to demonstrate to have obtained consent from the data subjects before collecting, processing, and / or storing their data if consent is a legal basis for data processing. At any time, the data subject should be able to withdraw his/her consent. 

So, how do organizations get consent?  

In order to comply with this regulation, businesses generally use a form (webform or on paper) asking for an explicit consent of the data subject to collect, store and process their personal data for a specific purpose.  

Consent must be written in a simple, effective, and comprehensible way for the user is going to accept or not. 

The following are some examples of processing activities that require consent for each of the principal business functions,  

Sales:

Consumer Care 
Consumer Complain management 
Sales Customer Information 
Store visit 
HR:

Use of Personal Image for campaigns 
International communication 
Travel Booking 
Digital Marketing:  

Newsletters 
Marketing campaigns 
Market Research 
Cookies on websites/apps 
Cookie Banners  
The discussion about privacy and personal data is incomplete without cookie banners. Cookies are small text files carrying information about user’s activities on the website. They are generally stored in the device that the user has used to access the website. Cookie banners are nothing but small notices that appear on the screen right before a user loads a webpage.  

Importance of Cookie Banners:  
In order to be compliant with the GDPR, a website must present a cookie banner to the users asking for their explicit consent to use cookies, especially when the website is using cookies that are not strictly necessary for the functionality of the website.

These cookies banners must inform the user about the use of cookies and must allow the user to choose whether to accept them. If the user does not want to accept the use of cookies, he or she should not be prevented from browsing the site.

Asking the user for consent does not conclude the tasks that need to be done to have a GDPR compliant website.

See you next post! 

Share:

You might be interested too

Syscons 2024 Wrapped
Syscons 2024 Wrapped
19.12.2024
AI (Artificial Intelligence): how Well do you Know this technology?
AI (Artificial Intelligence): how Well do you Know this technology?
19.12.2024
Corporate Training: Why Invest in Soft Skills
Corporate Training: Why Invest in Soft Skills
25.11.2024