Individuals must protect their own personal data and be cautious when sharing it. The same is true when data are shared with an organisation/company; they too must protect said data and be wary when sharing it.
During International Data Privacy Week, data privacy professionals at Bridewell recommend three aspects for organisations to consider.
1. Ensure You Have a Lawful Basis to Process Personal Data.
2. Privacy Notices and Cookies
Be transparent. Transparency is a key data protection principle which enables the exercise of individuals’ rights. Additionally, by being open and honest about what you’re doing with an individual’s data, their confidence in you as an organisation will increase. It’s also likely to have a positive effect upon potential customers and other business organisations.
Have a privacy notice or policy readily available on your website or where it will be seen and read. This notice is best written with the help of the Record of Processing Activities, so that nothing is missed. You should also ensure that your privacy notice is not written in legalese and is easy to understand by the persons who will be reading it; your customers. Consider their needs and adjust your privacy notice accordingly, which may be delivering it through a recording, using braille or gamifying it.
No one wants to be faced with innumerable options on cookie banners; keep it simple. Give the user ‘accept all’ or ‘decline all’ options and stay away from nudge behaviour (encouraging the user to select one option over another). Again, clearly explain what cookies you’d like to drop and why. Letting your customer know what the cookies do and why gives them greater control and creates trust.
3. Protect the Data
Protecting data is a fundamental security principle that is woven into data privacy and therefore covers a whole ambit of areas. An organisation is required to process data securely through ‘appropriate technical and organisational measures’ so the approach they take will be tailored to the organisation and the data it processes. There are lots of elements to consider; policies, risk analysis as well as physical and technical measures. These measures need to be integrated into business practices from inception onwards to make sure that data privacy is considered at the start of everything an organisation does. This is more commonly known as ‘data protection by design and by default’.
Data Privacy Week 24-28 January
The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. It is currently observed in the United States, Canada, Nigeria, Israel and 47 European countries. The week originates from The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was ratified by the Council of Europe on 28 January 1981. This treaty was the first international treaty concerning data protection and the privacy right of individuals.
Author
Becky Nicholson
Senior Data Protection Consultant
Becky is part of the team at Bridewell which delivers General Data Protection Regulation (GDPR) and Data Privacy services to organisations globally. A highly-qualified data privacy expert, Becky holds accreditations from CIPP/E, CIPM, is a OneTrust Certified Professional and a Certified ISO 27001 Lead Auditor. With Bridewell, she has assisted organisations to embed data protection into the full lifecycle of projects from planning and design through to management and governance. Becky has always managed to address the complex privacy challenges presented across multiple industries such as pharmaceutical, car manufacturing, local government, tourism, finance, not-for-profit, clean energy and investment
Blogs