As well as keeping your customers informed, you also need to make sure that your staff know what they can and can’t do with the personal information that you process, so that they don’t do something with it outside of what you have explained to individuals.
To do this you are going to need a structured privacy compliance programme. At The Privacy Compliance Hub, we provide a simple platform to make it easy to establish and maintain such a privacy compliance programme. The programme is based upon our unique Eight Privacy Promises. Helping everyone understand those Eight Privacy Promises is our very own Privacy Guy who guides you through what it means and what it takes to comply with the law.
Promise 3 – We tell people what we do with personal information
Or, put another way, we promise to be transparent about the personal information we process.
What The Privacy Guy needs you to understand
Your organisation and the people in it need to understand what they are and aren’t allowed to do with the personal information that they process. At the very least, your staff need to know that each processing operation (eg. sending out a marketing email; using new account management software; sharing personal data with a contractor) needs what is called a ‘legal basis’. If this is ‘consent’ then that consent needs to be valid and of the quality required by law. What personal information you process, what rights you have in relation to it, what you do with it, who you share it with, how you protect it, how long you keep it and what you do with it when you no longer need it, all need to be communicated to individuals at the point you collect their personal information.
Why The Privacy Guy thinks you should care
You and your staff need to care about being transparent with individuals regarding what you do with their personal information. To get your staff to care, you really need an active privacy compliance programme in place. This programme should, ideally, include training which explains privacy in a way that relates back to your staff’s private lives. For example, some of your staff may use dating apps. They know and are happy for their contact details to be communicated to potential dates. However, if they found out that the dating app shared their personal information with, for example, sexual health advisors, or insurance companies they may feel very uncomfortable.
What The Privacy Guy needs you to do
All The Privacy Guy asks is that your organisation is that you be clear with people when you collect and process their personal information. This means privacy notices drafted in accordance with the law and displayed when the information is collected so that individuals can make an informed choice. Such notices need to be transparent, concise and use plain and clear language. Be creative. Consider infographics, video and tiered notices.
Being transparent means much more than just a privacy notice on your company website. You need to think about ‘just in time notices’ warning users when you are about to do something unusual with their personal information. You will need privacy notices that tell your employees what you do with their personal information. You are likely to need privacy notices that tell prospective job candidates how you use their personal information. All such notices are available in The Privacy Compliance Hub.
A culture of continuous compliance
In our view, the only way to comply with privacy rules such as the GDPR is through a cultural shift in your organisation. At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous compliance by making everyone in an organisation understand privacy, care about privacy and to do their bit to protect personal information. Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to comply with privacy rules including the GDPR and the CCPA.