The second of our Eight Privacy Promises. To comply with privacy rules including the GDPR and the CCPA your organisation needs an inventory of personal information. This basic (but sometimes difficult) step is one of the cornerstones of establishing and maintaining an effective privacy compliance programme. However, keeping track of your personal information is not as easy as keeping track of your employees, or your office equipment. Personal information moves quickly and easily and is often kept in multiple locations.
At The Privacy Compliance Hub, we provide a simple platform to make it easy to establish and maintain an effective privacy compliance programme. The programme is based upon our unique Eight Privacy Promises. Helping everyone understand those Eight Privacy Promises is our very own Privacy Guy who guides you through what it means and what it takes to comply with the law.
Promise 2 – We know what we do with personal information
Or, put another way, we promise to know and continue to know what personal information we collect, what we do with it, where we keep it, who we share it with, how long we keep it and what we do with it when we no longer need it.
What The Privacy Guy needs you to understand
Your organisation and the people in it can’t just process personal information because they want to, or think they need to. Each processing operation needs what is called a ‘legal basis’. And once you have established that you have a legal basis, you need to stick to that legal basis. For example,, you can’t rely on consent as a legal basis, but when that consent is withdrawn, swap your legal basis to ‘legitimate interest’.
You need to understand the difference between personal data and special category data (sometimes called sensitive data). Special category data includes data revealing race or ethinc origin; political opinions; religious or philosophical beliefs; or trade union membership. It includes genetic data; biometric data; health data, data concerning a person’s sex life; and data concerning a person’s sexual orientation. You need to understand that this special category data must be treated differently, so you need to recognise when you have it and apply special rules to it.
Why The Privacy Guy thinks you should care
You and your staff want to work for a successful organisation. A successful organisation is one that has the trust of its customers. A significant part of establishing and maintaining that trust is protecting the personal information of those customers. And your organisation can’t protect that information unless it knows what it has, where it keeps it, what it does with it, what rights it has in relation to it, who it shares it with, how long it keeps it and what it does with it when it no longer needs it. This is an inventory. It leads to customer trust. Which leads to revenue. Which (in the absence of any altruistic motivation) is why you should care.
What The Privacy Guy needs you to do
All The Privacy Guy asks is that your organisation has an inventory which includes all the necessary information required by law. Keep it accurate. Keep it up to date. Always think, “Why do I need this information, what do I do with this information and how do I use this information?”
Think about ‘data minimisation’. That is, keep the amount of personal information that your organisation processes to a minimum. The less personal information your organisation processes the less your risk of a data breach, or a difficult subject access request.
Think about ‘purpose limitation’. You can’t keep personal information just because it might be useful. And you can’t collect personal information for one purpose and then use it for another. These are exactly the sort of things that get organisations into trouble with a regulator.
A culture of continuous compliance
In our view, the only way to comply with privacy rules such as the GDPR is through a cultural shift in your organisation. At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous compliance by making everyone in an organisation understand privacy, care about privacy and to do their bit to protect personal information. Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to comply with privacy rules including the GDPR and the CCPA.