Privacy Matters With GDPR
The old EU directive required certain information to be provided to data subjects in the case of data collection, including the company’s identity, data processing purposes, the existence of certain rights to access and rectify the data, etc. And each EU Member State also has this requisite. The new EU GDPR requires that this information be even more detailed and clearer.
So in collecting personal data, you should disclose the ways that you gather, use, disclose, and manage your customer or user’s data. As each individual has a fundamental right to the protection of their data and to be informed.
What needs to be included?
And this time around, I needed our policies to be fully in line with the new GDPR requirements — as it imposes additional requirements as to the information to be provided on the collection of personal data. For example, not only do the purposes of processing need to be provided, but now also the legal basis needs to be stated. In our case for Mailjet, the principal purpose is to provide our emailing services and facilitate their performance, including verifications relating to our clients; the legal basis is to be compliant with the data privacy laws.
As a summary, the key information to be provided to your clients and users under GDPR is:
- Identity and contact details of the data controller
- Contact details of the DPO (when applicable)
- Processing purposes and the legal basis
- Where the processing is based
- Recipients of the personal data, if any
- Data transfers outside EEA, when applicable
- Data retention period
- Rights to access, to rectify and to delete data
- Right to lodge a complaint with a supervisory authority
- Existence of any automated decision making (including profiling) and the logic behind it
How exactly to create/update your policy?
I had to include the now necessary information (including the new contact information of our DPO — if you’ve forgotten, yours truly, the supervisory authority and right to lodge a complaint…) and at the same time attempting to describe all this in a clear and concise manner.
One of the main underlying principles of the GDPR is the principle of transparency; this requires that any information addressed to the public should be clear, concise, easily accessible and easy to understand. The information provided shouldn’t be bogged down in legal jargon and with cumbersome online conditions.
So I wrote out the policy as if I were talking in everyday language. No legal mumbo-jumbo. No long-winded phrases. No complicated theories. I had to forget my days of writing legal briefs. This had to be very simple.
After spending several hours on the first draft, I passed it along to my fellow colleagues (those without a legal background), so I could get some feedback as to the clarity and understandability of the document. I also met up with our CTO to ensure we were aligned on a technical side with our policies (data retention, deletion capabilities, etc.). He offered suggestions to integrate into the document and by the end of the day, I had a nice working draft. Hurrah!
What was updated?
- To harmonize the terminology with the terms used in the GDPR (words such as; data subject, controller, data processor, supervisory authority)
- To clarify the consent policy (how we obtain our client’s consent)
- To identify the data supervisory authority where customers may lodge data protection complaints (in France it’s the CNIL)
- To define our legal basis for data processing
- To allow us to respond directly to a request from a data subject to modify or delete his/her data. In the past, we had to request authorization from our customer directly and await their instructions.
- To better clarify our data retention periods (this is still a challenge to make transparent since we deal with so many different types of data, personal or otherwise — and this retention policy needs to be worked on closely with our technical team to put in place the right processes).
- To communicate our new minimum password security requirements
- To share our new DPO contact information (yours truly!)
This post was first published on the Mailjet Medium account.