ProtonMail launched an online resource site yesterday, called “GDPR.eu” that offers complete compliance guide to General data protection regulation (GDPR) law by EU. GDPR is considered the toughest privacy and security law in the world. The law imposes obligations onto organizations that collect user’s personal data across Europe. The regulation includes levying fines of tens of millions of euros against organizations who violate its rules of privacy and security.
The GDPR compliance guide offers detailed information about the GDPR law and answers questions regarding “how to write a GDPR-compliant privacy notice”, “how does GDPR affect email”, “what is GDPR data protection office (DPO)”, and so on. Let’s have a look at some of the key topics covered under the GDPR compliance guide.
GDPR-compliant privacy notice
A GDPR privacy notice refers to a public document from an organization that gives details on how they process a user’s personal data and how they apply GDPR’s data protection principles. The information that needs to be mentioned in the privacy notice varies depending on two factors: a) whether an organization has collected its data directly from an individual or b) whether it’s received via the third party.
As per the GDPR law, organizations need to provide their users with a privacy notice that is:
- concise, transparent, intelligible, and is presented in an easily accessible form.
- written in clear and plain language, especially for information that is addressed specifically to a child.
- delivered properly and in a timely manner.
- provided free of charge.
The guide also mentions some of the best practices that should be followed when writing a privacy notice. It mentions that phrases such as “we may use your personal data to develop services” or “we may use your personal data for research purposes” should not be used in a public notice as they don’t give a clear picture on how an organization intends to use that data. Instead, using phrases such as “we will retain your shopping history and use details of the products that have previously purchased to make better suggestions to you for other products” is much better and informative.
GDPR email compliance
The GPR compliance guide provides information on how GDPR affects email. GDPR compliance guide states that GDPR does not put a ban on email marketing by any means, instead it encourages organizations to promote effective email-marketing.
“A good marketing email should ideally provide value to the recipient and be something they want to receive anyway. What the GDPR does is clarify the terms of consent, requiring organizations to ask for an affirmative opt-in to be able to send communications. And you must also make it easy for people to change their mind and opt-out”, states the guide.
GDPR guide states another aspect of emails i.e. email security. As per Article 5(f) of GDPR, it is the responsibility of an organization to protect personal data of the users against accidental loss, and destruction or damage, by implementing the appropriate technical or organizational steps.
Moreover, the guide also states that in order to avoid any liability, it’s important for organizations to educate their team regarding email safety. For instance, implementing basic steps such as two-factor authentication is a good initiative toward protecting user data and complying with the GDPR.
GPDR Data Protection Officer (DPO)
GDPR, under certain conditions, states that organizations should appoint a Data Protection Officer that can oversee an organization’s GDPR compliance. The Data Protection Officer (DPO) should possess expert knowledge when it comes to data protection law and practices.
Article 38 in GDPR states that no other employees within an organization can issue any instructions to the DPO when it comes to the performance of their tasks. DPOs have wide-ranging responsibilities and the position is protected from any potential interference from other employees within an organization. Also, DPO only reports to the highest level of management at the organization.
GDPR does not list specific qualifications for DPO. However, it does mention that the level of knowledge and experience required for appointing an organization’s DPO should be determined based on the complexity of the data processing operations.
The GDPR compliance guide mentions three criteria that need to be met by an organization for it to appoint a DPO:
- Public authority: the processing of personal data gets handled by a public body or public authorities within an organization.
- Large scale and regular monitoring: the processing of personal user data is the main activity of an organization who regularly and systematically observes user data on a large scale.
- Large-scale special data categories: the processing of specific “special” data is carried out on a large scale within these organizations.
Apart from these major guidelines, GDPR compliance guide also offers an overview of GDPR, GDPR compliance checklist, GDPR forms, and templates, along with the latest news and updates regarding GDPR.
Check out the complete GDPR compliance guide here.