Website
Start with the website. Your business needs to at least look compliant. Check the following:
- If your website uses cookies, then it should show a cookie dialog. You know what they are as you have already closed many of those dialogs. Your website platform or partner knows how to enable a simple cookie dialog.
- Ask PrivacyDocs AI chatbot to generate a standard website privacy policy. It will cover the website, not the rest of your business. You can adopt a well-written policy found on the Web, or just ask PrivacyDocs AI chatbot to generate one given the records that are entered. A compliant policy should fit two pages and talk about two-three processing activities (placing cookies, providing the website, storing access logs, potentially processing feedback forms).
Check your website for third parties, such as Google Analytics, marketing software, embedded video, etc. Many websites use other websites, passing your visitors' data to other companies.
Inventory
Next, you need to build an inventory of processing activities (so-called records of processing activities). GDPR is built around the processing activities, each of which needs to be described.
The website activities are a good start. Take the demo records provided with PrivacyDocs and adapt them to fit your specifics.
Fill in each record in PrivacyDocs. That may include the following:
- Understanding which systems are involved in conducting a processing.
- Finding out which companies are providing these systems and are involved, checking the existence of the data processing contracts with these companies.
- Determining data retention periods.
- Discovering the data sharing paths.
- Reviewing the information provided to individuals (texts that appear on the website, website privacy policy, internal privacy policies, contracts with your clients).
Some records would require assessments to be conducted (typically, Legitimate Interest Assessment or a Data Protection Impact Assessment). You can consult the sample assessments provided with PrivacyDocs. You may also reach out to the PrivacyDocs GDPR consultancy service. These assessments are not too numerous (you may expect needing just a few) but they require examining your processes from a special angle. They are often best done by external consultants.
Privacy Policies
Privacy policies are not a place where you give a summary of the GDPR and talk about its principles, but where you clarify specific details about the processing activities that you conduct. The privacy policy should tell your employees how to process personal data, but also inform them about how their data is processed.
Requests
Prepare your company for handling the so-called Data Subject Requests (DSRs): usually, email requests submitted by anyone to your company.
- Set up an email address as the preferred intake point, mention it in your privacy policies and on the website.
- This email would usually lead to you or to someone managing legal requests.
- Ensure that the incoming requests are first assessed from the legal perspective, as most may not be legally grounded.
- Ensure that any action taken as a result of
Breaches
Explain to everyone in your company what a breach is and set up a mechanism to report them. It is more of a social process. From the technical side, PrivacyDocs supports it with the Breach registry and templates for compulsory breach assessments to be conducted by the company.
Training
You need to train your employees about GDPR. There are many free basic courses available. A half-hour course may be sufficient for most employees, with just a few needing more in-depth knowledge. You can have a privacy Friday evening and watch a course video together, or request a short training from the PrivacyDocs consultancy service.
It is important to register the fact of training in PrivacyDocs to have it as evidence of compliance.
Risks
You would probably not get it all fully done. Some contracts would not be there, some systems or processes would need to be updated, etc. These are all compliance gaps forming risks of non-compliance. Most companies have quite a list of compliance gaps and risks that they bear. You need to register these risks in PrivacyDocs.
The most important thing here is to periodically review these risks and keep working on risk mitigation. Ignoring a risk is not compliant. But registering and assessing a risk, together with managing and performing some risk mitigation measures, may make your company compliant even if the risk is not immediately eliminated.
Reviews
You need to periodically review the processes that are not expected to change, and choosing an annual review is often defensible. Set up a GDPR review for the next year in your agenda. Processes that are due or past due are marked in PrivacyDocs to be visible.