Are you at risk from your suppliers mishandling data breaches?
I’ve seen a few suppliers make classic errors dealing with breaches in their client’s data. Here are the top three errors suppliers make and 5 suggestions to avoid them!
Most companies have some form of privacy notice on their website. To date, they have been deployed “en masse” and for the most part without any real thought to address the main focus of a privacy notice – to detail the personal data processing activities of the organisation. Most privacy notices are generic and use boilerplate language. Placed side by side, it would be difficult to figure out the personal data and services provided by one organisation over another even where their processing activities and personal data collected are completely different.
Article 13 of the GDPR is very prescriptive on the information that must be provided to the data subject at the time their personal data is collected.
Article 12 states that information must be provided in “a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”.
Article 12 (7) also states that the information must be provided in order to give an “easily visible, intelligible and clearly legible….and meaningful overview of the intended processing”. So, no more repetition of the data protection principles ad nauseam.
The GDPR increases the amount of information that needs to be included in a privacy notice and yet paradoxically requires that the privacy notice should be “concise”.
Article 13 requires that the privacy notice should include the following information:
This is clearly a significant departure from the privacy notices of old and some of these provisions will start some heads scratching. Note the requirements of Article 12 and 13 are only relevant to data controllers however many data processors may well volunteer a privacy notice to identify their role in proceedings.
A privacy notice is also a helpful step towards compliance with other provisions of the GDPR, that are relevant to data processors, such as the data protection principles at Article 5.
One of the first steps to meeting the requirements of Article 12 and 13 and indeed compliance with the GDPR, in general, is to know your data.
We have written previously about building your data catalogue. Without answering all the questions required as part of a data catalogue it will be impossible to draft your privacy notice so that it is compliant with GDPR. You can spot the Privacy Notice that is “meaningful” a mile away. Take your first vital step toward compliance and make your privacy notice stand out from the crowd. Build a data catalog and then draft a “meaningful” privacy notice.
Or better still call in the experts and have Fort Privacy do it for you!
Sign-up to receive news and information from Fort Privacy
Fort Privacy processes your personal data in order to respond to your query and provide you with information about our products and services. Please see our Data Protection Statement for further information
I’ve seen a few suppliers make classic errors dealing with breaches in their client’s data. Here are the top three errors suppliers make and 5 suggestions to avoid them!
The General Data Protection Regulation is “risk” based legislation. This means that the protective measures an organisation implements should correspond to the level of risk associated with their data processing activities. It’s worth noting that the risk that should be considered here, is the risk to the data subject as opposed to risk to the business of non-compliance.
Data Protection Programmes are all the rage these days. It’s great to see the compliance conversation moving in this direction. As a Data Protection Officer (DPO), I know the difference between working with a solid data protection programme and working with none and all.