Data Retention And Privacy Policy

Your privacy policy sets the direction and makes declarations to create a transparency for customers who interact with you. When you set an expectation and then meet that expectation, you remove risk and let your customers know how you will use the information they provide to you. The privacy policy is also the public face of your privacy efforts. It might be just as boring as the terms of service no one reads before downloading new software onto their phones, but it isn't boring to your customers - and it shouldn't be boring to you.

In fact, from my experience, some potential customers will choose to walk away if they're not happy with your privacy policy.

There are a number of areas in which the privacy policy can have an impact. Let's look at some of the most important ones.

1. Understand Data Transfer Agreements (DTAs) and Onward Data Transfer (ODT)

Organizations transfer personal data all the time, which get processed in a second country or after an onward transfer to a third country or international organization. Under the GDPR, certain conditions have to be met before an original data transfer or an onward data transfer to a third country or international organization can take place.

If the commission decides that the receiving country or international organization ensures an adequate level of protection, the transfer does not need any specific authorization.

Otherwise, a controller or processor must provide appropriate safeguards, and show that data subjects have effective legal remedies available.

After that, you would need to gain approval from the data subjects or meet other conditions that might be difficult.

Some potential customers will choose to walk away if they're not happy with your privacy policy.

2. Respect Consent Mechanisms

Consent is very specific and required under the GDPR. No more pre-checked boxes, sneaking consent for one thing in with others or assuming consent. When consent is necessary for processing, the data subject must freely consent to the processing of personal data through a clear action, so no more so-called "opt-out consent" either.

For sensitive data, data subjects must give explicit consent, and you must give them an option to withdraw or refuse consent.

That means you too, marketers. Under the GDPR, all individuals have the right to object to direct marketing and profiling related to direct marketing. And under the GDPR, you must inform them that they have that right.

And you know how sometimes you want to unsubscribe from something, and you can't figure out how? Under the GDPR, you must make withdrawing consent as easy as giving consent.

3. Prepare Data Breach Notification Processes

Under the GDPR, companies must notify individuals without delay that there has been a breach of their personal data. When possible, you must deliver this notification within 72 hours of becoming aware of the breach, unless it is unlikely to impact the rights and freedoms of individuals. Data processing companies also have the onus of reporting breaches to the company that collected and controls the data they process.

Data subjects must give explicit consent for sensitive data, and you must give them an option to withdraw or refuse consent.

4. Support the Right to be Forgotten

If personal information is compromised, an individual has the right to have his or her personal data rectified and a "right to be forgotten" where the retention of the data does not comply with the regulation or with an applicable union or member state law. This right is particularly relevant when the data subject gave consent as a child and later wants to remove such personal data, especially on the Internet.

5. Retain Privacy Data Properly Throughout the Lifecycle

The further retention of the data should be lawful where it is necessary. Necessary? Yes, necessary for exercising the right of freedom of expression and information, for complying with a legal obligation, for a task carried out in the public interest, for public health, for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes or for the establishment, exercise or defense of legal claims.

6. Match Privacy Procedures to Your Privacy Policy

Privacy procedures must include privacy by design, and development and deployment concepts, including, but not limited to:

Source : https://dzone.com/articles/develop-privacy-policy-and-procedures-for-gdpr

Develop Privacy Policy and Procedures for GDPR
National Security Council and Department of Homeland Security Privacy and Cybersecurity Adviser Steven G. Stransky Joins Thompson Hine
Civil rights advocates question Las Vegas police body camera policy
Choosing Your Cyber Insurance Policy
Google Tightens Data Retention Policy — Again
Congressman questions Google on data retention and privacy policies
Employees in the dark about data retention policy
Brief Guide To The General Data Protection Regulation (GDPR)
Biometric tracking brings security opportunities, privacy concerns
Australians will trade privacy for security if you frame it right