To prevent oversharing, you are going to need to put in place a structured privacy compliance programme. This is because, unless people understand why oversharing is dangerous, they won’t care enough not to do it. But once they understand, they will care. And once they care, they will stop oversharing. At The Privacy Compliance Hub, we provide a simple platform to make people understand and care. The programme is based upon our unique Eight Privacy Promises. Helping everyone understand those Eight Privacy Promises is our very own Privacy Guy who guides you through what it means and what it takes to comply with the law.
Promise 4 – We only share personal information with people that we trust
Or, in other words, we promise that we will only share personal information with third parties that process it in accordance with our Privacy Promises.
What The Privacy Guy needs you to understand
One of the cornerstones of the GDPR is the principle of data minimisation. The idea is that the less personal information you process, the easier it is to keep it safe. Your staff need to understand that this is even more important when it comes to sharing personal information. As soon as personal information leaves your organisation, you lose an element of control. Therefore, you need to minimise the extent of such sharing.
You need to appreciate that even when personal information leaves your organisation you are likely to remain responsible for it if something goes wrong. Individuals have trusted you with their personal information and they (and the law) are looking to you to protect it.
Your staff need to have a basic appreciation of the status of the organisation that you are sharing the personal information with – is it a controller, a processor, or a joint controller? The responsibilities of will be different, depending on the nature of the sharing relationship. If your staff don’t know, they should know who to ask.
Why The Privacy Guy thinks you should care
In our private lives, when we share our personal information with an organisation, we don’t have an expectation that such organisation will share it with anyone. If it is going to be shared, we need to be comfortable with who it is being shared with, why it is being shared and how it is going to be kept safe when it is shared.
The same applies in our working lives. We need to care about the personal information we come across at work, just as much as we care about our own personal information. Just as we wouldn’t expect our doctor to share our personal information with an insurer, our customers wouldn’t expect us to share their email addresses with other companies.
What The Privacy Guy needs you to do
First, the Privacy Guy needs everyone in your organisation to think before they share. Do you really need to share the personal information in the first place? If the answer is, ‘Yes’, then you need to make sure that the organisation you are thinking of sending the information to is a safe organisation. Will they protect that information? Will they act only in accordance with your instructions when they process the personal information? Are they able to react quickly to subject access requests from individuals in relation to that information?
Whatever the nature of the relationship between your organisation and this other organisation, before you share personal information with them you need to send them a risk assessment questionnaire and ask them to complete it. Alternatively, you need to do due diligence on their privacy practises. You then need to evaluate what you find out and, if you believe the organisation to be safe, you need an appropriate agreement in place with that organisation. All such questionnaires and agreements are available to customers of The Privacy Compliance Hub. Finally, you need to audit periodically the organisations that you are sharing personal information with.
All your staff should be ready to help with these tasks. They are the people that work with the personal information every day. They know what it is, where it is and who it is shared with. They are best placed to ensure that it is kept safe when it is shared. It is people that keep personal information safe, not policies and certainly not lawyers or external consultants!
A culture of continuous compliance
In our view, the only way to ensure that you share personal information safely is by having the right culture. At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous compliance by making everyone in an organisation understand privacy, care about privacy and to do their bit to protect personal information. Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to comply with privacy rules including the GDPR and the CCPA.