Below is a list - reworked from the European Commission’s online guidance on data protection reform - of some of the things your business may need to consider and work on, when reviewing your privacy and data protection policies. Consider these in relation to both wording and to privacy design features.
1. Write your policies in clear straightforward language.
2. You cannot use a user’s data without their affirmative consent. Silence is not consent.
3. If you are transferring data outside of the EU, clearly tell your users.
4. You must have a well-defined purpose for collecting and processing data. If this purpose changes, inform your users about the new purposes.
5. If your business uses automated decision making (such as algorithms) about users based on their personal data, you must inform them and give them the ability to contest it.
6. If there has been a harmful data breach (such as stolen data), you must inform users within 72 hours.
7. You must enable users to move their data from your business to another competing service (so think about developing interoperable formats to enable data portability).
8. Make it easy for users to access the data your business has on them, as they have a right to obtain a copy.
9. Make it easy for users to elect to have their data deleted and with clear safeguards.
10. If a case concerns several EU countries, the European Data Protection Board can provide the 28 protection authorities with guidance and interpretation and adopt binding decisions.
11. If you violate the rules your business could face hefty fines by the authorities – up to $20M Euro or 4% of your worldwide turnover!
Useful points to remember
Article written on 18 January 2019 by Agnes McKay