How to Make Your Website Compliant with the GDPR – Step 4: Set Up a Privacy Rights Infrastructure
As companies scramble to get a full understanding of what the GDPR means for them and determine a path towards compliance, we’re continuing our series on getting your website up to par with the legislation.
In our last post, we covered step 3, which is to Determine the Legal Basis for Data Collection Activities. In this post, we’ll cover the basics of setting up a privacy rights infrastructure.
Under the GDPR, consumers enjoy a variety of new privacy rights regarding their personal data, and companies have the obligation to establish internal processes to accommodate this variety of rights. This component of the law literally puts data control back into the hands of the individual by legislating that people have the right to decide at any juncture what they want done with their data. That may include receiving whatever data you have on hand about them, requesting that you delete it entirely, asking for information on how and why you are processing their data, among other rights.
With the GDPR in effect, your enterprise needs to create a channel for visitors to submit any rights requests, and an attendant process for fulfilling them.
Some of the personal data rights under the GDPR:
- Right to Data Portability: Your “data subject” (visitor or customer) can receive any personal data he or she has provided to the “controller” (your organization), which that individual can then pass along to another enterprise without “hindrance” from you.
- Right to Erasure/Right to be Forgotten: For personal data you already have about an individual whether or not they granted consent to collect it, the “data subject” can request that you erase it, “without undue delay.”
- Right to Object: The visitor/consumer can object to you processing their personal data, unless you can demonstrate good reasons for doing so that override the person’s interests.
- Right of Access: Individuals have the right to get confirmation from you as to whether or not you’re using their personal data, in which case, they are granted the right to access it.
- Right to Rectification: A person can ask you to rectify/correct any inaccurate personal data you’re holding about him or her.
- Right to Object to Profiling (by automated processes)- this is akin to tracking, and a consumer has the codified right to object to this activity.
To accommodate requests like the ones outlined above, organizations need to come up with an efficient system to manage every step of the process.
To get all five steps on “How to Make Your Website Compliant with the GDPR”, download the eBook.