Why Doesn’t GDPR Provide More Specific Guidance For Businesses?
There are a lot of really vague phrases and undefined terms in the GDPR and we really don’t know why they couldn’t be more specific. Even the whitepapers that were meant to support this are not as specific as we would like them to be. For example, there is a provision that requires companies to have a data protection representative in the EU, if their company isn’t located in the EU. The requirements for who has to have one of these representatives are very vague. It requires company who are involved in “large scale processing” that is “more than occasional” to have a data representative, but we don’t know what “large scale processing” or “occasional” means. There are no specifics about how many data subjects that means or what percentage of the company’s revenue is tied to the selling of information.
We don’t know if the sending out of a newsletter that’s ancillary to your regular business qualifies as large scale processing. The requirement to have one of these data protection representatives is a substantive requirement. This is a third party who has to act as your representative to the authorities in the EU countries. If there is a violation, the authorities are going to go to this data protection representative and that means that the representative needs to know everything there is to know about the way your company is processing information. They’re going to want to get their hands on a lot of that information and possibly do audits, and charge you for that. Data protection is a very new industry. We don’t have a lot of history to go on, as far as which companies are trustworthy. The fact that there is vagueness in the GDPR is having real consequences.
What Advice Do You Have For Organizations Without An Established Set Of Privacy Principles?
Any organization without privacy principles should get them as quickly as possible. What that means is doing a privacy audit on your company and identifying what information you collect, where you’re storing it, and with whom you share it. It also means developing a company-wide data retention policy, so there are clears rules on how long personal data will be kept before it is destroyed. Make sure that any service providers with whom you share information are complying with their own obligations. Have internal policies about what happens if there is a breach and how the company will respond to that. If you are a customer facing business, you need to make sure that you explain all of that in your privacy notice. And all internal policies should be in writing.
Make sure that you also put in writing what your company’s security policies are. Do only certain employees have access to sensitive or personal information? Do you have the appropriate firewalls in place? Are you updating your operating systems and security patches? All of those are technical and organizational measures to make sure that the information is kept secure.
You also need to consider whether or not you were collecting from people more information than you need. If you are only going to ever communicate with someone by email, you may not need their home address or information about income. You might not even need their first and last name.
For more information on GDPR Guidance For Businesses an initial consultation is your next best step. Get the information and legal answers you are seeking by calling (615) 734-1188 today.