Data Processing Impact Assessment- Major Points
Data controllers need to make sure that that
have user consent to collect personal data. The online publisher needs to be
able to demonstrate that the data subject has consented to processing of his or
her personal data, ideally via an intelligible and easily accessible form,
using clear language. Furthermore, users now have the right to withdraw their
consent at any time.
Employee Training
You will need to identify what your staff
respond well to and incorporate these elements to create a successful GDPR
staff training program. Common techniques include adding a game or an element
of reward. A GDPR awareness programme should be an ongoing process that is
reinforced regularly throughout the year and also when staff-related incidents
occur.
Data Retention Policy
GDPR will introduce laws that will make the
storage limitation principle considerably stricter. Soon, it will be illegal
for data processing to be excessive in relation to the purpose of acquiring
such information. Specific time limits will be set for both the processing and
reviewing of data, while the handling of personal data should remain explicit
and transparent. It's also important to make sure that all third party vendors
are encrypting the data before and after it is processed and/or transmitted to
fourth and fifth party providers.
Personal Data Collecting and Processing
First and foremost, the data controller
should assign a Data Protection Officer (DPO) when there are significant
amounts of DII data being collected and processed. Online publishers definitely
belong to this category. The DPO has the responsibility of advising the company
about GDPR compliance and monitoring the activities from the legal standpoint.
Third party vendors are becoming
increasingly necessary for modern online publishers to remain profitable. These
services can appear to be perfectly functional, they are basically autonomous
components that are working independently, often while compromising user
privacy. Many also make use of fourth and fifth party services to gain added
functionality.
Compliance is further complicated due to
the way third party solutions work. Your PII data can potentially reach new
data processors in the form of fourth and fifth party services. A proper GDPR
audit should go beyond first party software on the website and include third party
services in Ad Tech and MarTech stacks for a through inspection.
Remember, GDPR Doesn’t End With Just One
Audit
A good GDPR audit doesn’t mean your Ad Tech
stacks will stay compliant in the long run. Third party vendors often make code
changes that alter the way your PII data is processed or in extreme cases
stored, which is a violation of the GDPR guidelines. New fourth and fifth party
vendors, who can potentially be completely non compliant, can also enter the
fray.
No comments:
Post a Comment