One of the principles of the GDPR is ‘transparency’. What this means is that:
- you tell people what you do with their data;
- you tell people what their rights are in relation to that data; and
- you tell people how to exercise those rights.
Does your organisation really tell people all these things?
What you really need to tell your customers
Your website should say in plain, easy to understand language exactly how you process customer data. For example, it needs to say what personal data you collect, what you do with it, who you share it with, how long you keep it and what you do to keep it safe (amongst other things). The ICO has a useful example.
But, don’t just think that if you have a policy on your website, that is enough. You need to make sure that all your marketing information provides customers with the right information. You need to make sure that you regularly check that information you hold about customers is accurate. For example, you may have seen pop up notices within online products inviting users to check their personal information.
If you are not transparent, or you do not do what you say you do in your privacy notices you are inviting complaints. And if you are inviting complaints you are inviting claims. You don’t want any claims. Trust us, even the small ones are really time consuming and expensive.
What you really need to tell your staff
You should also tell your staff what you do with their personal data. Not only is it good HR practice to be transparent with your employees, you will often be processing personal data of a very sensitive nature. You need to be sure that you protect it and ensure your employees trust you to keep it secure and only use it for the purposes for which it was supplied.
If you don’t have a clear privacy notice for your staff you threaten the trust that you want your employees to have in you and potentially make things more difficult for yourself if an individual leaves and they decide to make a claim against you. Using the GDPR as a weapon in employment litigation is all too common.
What you really need to tell your candidates
You need to have a clear policy in relation to individuals applying for jobs. You need to make sure that your recruitment consultants are complying with the law. You need to make sure that you have a policy that prevents candidate information being distributed by email. And you need a privacy notice for candidates telling them how you will treat their personal information.
Recruitment is a time consuming process in any event. You don’t want unsuccessful candidates putting you to more work by claiming that you have not complied with the GDPR in handling their personal information.
What good GDPR compliance really looks like
To do data protection compliance well, you need a comprehensive data protection compliance programme. To achieve this, you need a simple, well understood structure upon which to base that programme. And you need to make sure that all your staff understand the programme and how they can contribute to it in their day to day working lives.
The Privacy Compliance Hub helps organisations like yours achieve just that. With one simple platform, it helps business leaders like you create and maintain a culture of continuous compliance. Get in touch to arrange a demo.
This article is part of an eight part series. Feel free to check out the others:
GDPR : Are you sure you’re fine?
- Are you sure your staff know why the GDPR is important to the success of your organisation?
- Are you sure you know what you do with people’s data?
- Are you sure you tell people what you do with their data?
- Are you sure you trust organisations that you are sharing data with?
- Are you sure that nobody will complain?
- Are you sure you’re secure?
- Are you sure you know which countries keep data safe?
- Are you sure you build products and services with privacy in mind?