It’s been more than a year since the General Data Protection Regulation (GDPR) came into effect. Yet, organizations are still in the process of becoming compliant. Some of them have already been fined with totals reaching 56 million euros.
Purpose of GDPR policy
Here, you will state your organization’s full name and details and set your policy’s purpose. For GRPR, the purpose would be to explain clearly how you collect, process and store data. Also, be clear about who the data controller is for the purpose of this policy (probably your company). If you’re based outside the European Union, you can include details about your appointed representative in the EU or Data Protection Officer (DPO) and how someone can reach them.
How we collect data
List what personal data you collect. For example, you could say you collect names, IP addresses, etc. Also, mention what personal data you collect from other sources (e.g. social media, third-party services) and which those sources are.
How we use data
Explain your lawful basis for processing data. For example, this could be legitimate interest or consent if we’re talking about recruitment. Make sure to clearly state the purposes of processing data and whether there’s any possibility for automated decision-making or profiling.
How we disclose data
Be transparent about what other parties have access to personal data you collect.
How we store data
State how you ensure data security, where you store data (including whether you transfer it outside of the EU and how you ensure data is protected in this case), and for how long you store data.
The data subject’s rights
The data subject is the person whose data you process (for example, in the recruiting process, the job candidate is a data subject). GDPR provides that person with several rights (including the right to access, the right to be forgotten and the right to object). Explain all these rights and give data subject’s instructions about how to exercise them.
How to complain
Provide instructions about how to complain and mention the supervisory authority where you’re based.
Clearly state that you have a right to modify this policy as needed and how you will notify data subjects (e.g. via your website).