- Processing objectives
- Legal grounds for processing
- Processing time
As a result, you spend more time to find and edit a template when it is much faster (and maybe cheaper) to write the policy yourself or contact a specialist.
When drafting a policy, it is an error to disperse information about separate processing into different sections, when the compilers describe the categories of the data being processed separately from the goals, and the goals separate from the legal basis of the processing (agreement, legitimate interest, contract, law, etc.). It is forbidden to do this because it is not clear to a person (data subject) which of the data categories is processed for what purpose. This is the same if you came up to a passer in the street and asked for a phone. He has a reasonable question: “Why?” He will decide whether to give the phone depending on how you want to use it. Similarly, the user gives his consent to the processing of personal data depending on your goals.
For example, in early 2019, GOOGLE received a $ 50 million fine from the French supervisory authority CNIL. One of the violations was the fact that important information about the purposes of processing, storage periods, categories of personal data to be processed was scattered across different documents. As a result, the data subject needed 5-6 actions to obtain the necessary information.
- compiling a registry of personal data processing (art. 30 of the Regulations).
- formulation of processing objectives. For example, you ask the responsible departments for which they process certain data. It may turn out that they took some data “for the future”, not having a specific goal now;
- selection of the legal basis for processing (Article 6 of the Regulations). This stage is not just a “chamomile fortune telling”, but a complex legal analysis;
- determination of processing time for each process;
- inventory of third parties (outsourcers, partners, suppliers, providers) to whom you give access to personal data.
Errors committed in these early stages are often clearly seen in privacy policies.
- Fines imposed after inspection of the supervisory authority. And this is 20 million euros, or 4% of the total global turnover of the company.
- If you choose the wrong legal basis, then the data subject may have a right, the implementation of which will actually block the processes in your company . Example: you have chosen consent as the legal basis for processing in a situation where only a contract is possible. If the user withdraws his consent - you can not provide him a service. In the end, you find yourself in a legal trap: on the one hand, you need to realize the right of the subject to be forgotten, and on the other - to render him a service. Do not give him the right to be forgotten - get a fine, but do not provide him with a service - get sanctioned by the contract you signed with this subject.
- is developed individually for the processes of a particular organization,
- written in plain language and has a clear structure,
- only one of many and far from being the first event to comply with the Regulations,
- necessary for the survival of the company in the era of GDPR and
- does not forgive mistakes.