Because of the GDPR legislation that has been introduced in May 2018, Paylogic would like to help their customers to meet the requirements included in the new legislation. Below are some descriptions of considerations, action points or areas of concern which may contribute to that. Please contact the Client Success Team if you have any questions about the information below.
- Data processing overview
Make a list of all personal data your organization processes. It should be clear which forms of (personal) data are used, what the purpose of the data is, where it is stored and who has access to it.
Tip: Make sure you provide access to all processes. This includes how (personal) data is dealt with. Example: How are these data deleted? In the event that you receive an email from a newsletter subscriber, with a request to delete their (personal) data, the details of this person should be deleted within one month. Make sure that you will be able to meet this requirement! The same is true in case someone wants to change their data.
- Consider ‘Privacy by design’ and ‘Privacy by default’.
‘Privacy by design’ means that you should consider the protection of privacy-sensitive information when designing (new) products and services. For instance, think of a new event or new product that can be purchased during and/or prior to the event.
‘Privacy by default’ means that you only process personal data in order to achieve a specific purpose. For example, someone who orders a ticket for an event and receives that ticket by email, cannot be sent emails afterwards for promotional purposes without explicit consent. This is because it’s not necessary for the specific purpose. The organization is responsible for who can process what data and where.
- Complying with the data breach notification requirements
Data leaks caused by hackers who often collect personal data are getting more common. However, these are not the only forms of data leaks, as people also lose company laptops or send emails containing personal data to the wrong recipients. In case of any data leak, everyone involved needs to be informed. You need to inform the persons concerned in all circumstances regarding a data leak. In case this has serious consequences for personal data you need to inform the competent authorities within 72 hours. It is therefore critical that you do everything in your power to prevent data leaks.
Tip: Pinpoint any risks related to your organization. Take a look at the procedures for documenting and reporting data leaks. The GDPR guidelines require you to both report and document data leaks, so these can then be reviewed by the competent authorities.
- How do you ask permission and how do you register this permission for using personal data?
The new legislation comes with stricter requirements regarding the permission that people need to give for the processing of data. Review the way in which you ask permission to process (personal) data from the fans, fans, newsletter subscribers, etc. and tell them how these data are (safely) registered. You must be able to demonstrate that you have gained permission for the processing of personal data.