Major Points

Data Processing Impact Assessment- Major Points 

Data controllers need to make sure that that have user consent to collect personal data. The online publisher needs to be able to demonstrate that the data subject has consented to processing of his or her personal data, ideally via an intelligible and easily accessible form, using clear language. Furthermore, users now have the right to withdraw their consent at any time.

Employee Training

You will need to identify what your staff respond well to and incorporate these elements to create a successful GDPR staff training program. Common techniques include adding a game or an element of reward. A GDPR awareness programme should be an ongoing process that is reinforced regularly throughout the year and also when staff-related incidents occur.

Data Retention Policy

GDPR will introduce laws that will make the storage limitation principle considerably stricter. Soon, it will be illegal for data processing to be excessive in relation to the purpose of acquiring such information. Specific time limits will be set for both the processing and reviewing of data, while the handling of personal data should remain explicit and transparent. It's also important to make sure that all third party vendors are encrypting the data before and after it is processed and/or transmitted to fourth and fifth party providers.

Personal Data Collecting and Processing

First and foremost, the data controller should assign a Data Protection Officer (DPO) when there are significant amounts of DII data being collected and processed. Online publishers definitely belong to this category. The DPO has the responsibility of advising the company about GDPR compliance and monitoring the activities from the legal standpoint.

Third party vendors are becoming increasingly necessary for modern online publishers to remain profitable. These services can appear to be perfectly functional, they are basically autonomous components that are working independently, often while compromising user privacy. Many also make use of fourth and fifth party services to gain added functionality.

Compliance is further complicated due to the way third party solutions work. Your PII data can potentially reach new data processors in the form of fourth and fifth party services. A proper GDPR audit should go beyond first party software on the website and include third party services in Ad Tech and MarTech stacks for a through inspection.

Remember, GDPR Doesn’t End With Just One Audit

A good GDPR audit doesn’t mean your Ad Tech stacks will stay compliant in the long run. Third party vendors often make code changes that alter the way your PII data is processed or in extreme cases stored, which is a violation of the GDPR guidelines. New fourth and fifth party vendors, who can potentially be completely non compliant, can also enter the fray.