Do you run your own business and realise that you need to comply with current data protection legislation? The RODO regulation passed by the European Parliament and the Council of the European Union has revolutionised existing standards when it comes to the processing and storage of consumer information. Every trader has to deal with a number of obligations and the preparation of relevant documentation.
New RODO documentation - rights and facilities for buyers
The customer should always be at the heart of our business - we create offers and products that fully fit their needs, we focus on professional service and we tailor marketing messages to the nature of our audience. It is the same with RODO - the regulation goes out of its way to ensure that all consumers' personal data is as protected as possible and only used for strict and clearly defined purposes. The most important customer rights introduced by RODO include:
- access to knowledge of where personal data is stored;
- The right to be forgotten - the buyer can request the company to completely remove their data from the database;
- the portability of your data between service providers;
- The right to restrict data processing;
- the option not to consent to profiling, of which the customer must be informed;
- expanding the catalogue of confidential information to include biometric and genetic data.
Documentation of personal data processing RODO
Maintaining data protection documentation is the responsibility of every business. Among its main tasks is to make employees aware of how they should handle the collected data in order not to infringe consumers' rights. But how to achieve this goal? What exactly is data protection documentation? We should prove compliance with the RODO regulation by:
- implementation of the required policies and procedures;
- keeping the necessary records and registers;
- the use of appropriate clauses in forms, contracts, and on the company website (or other places where personal data is collected);
- Conducting regular compliance analyses, together with a data protection impact assessment (DPIA) and a compliance analysis.
Important note: The provisions of the RODO do not provide for a uniform, mandatory data protection policy, which means that there are no strict requirements for internal documentation. Each business owner can therefore tailor the documents to the type of their business. The RODO only imposes due care of all data processing and the need to demonstrate the compliance of buyer information processing operations with the provisions contained in the RODO.
Documentation of the processing of personal data should include:
- an established procedure for dealing with data protection breaches;
- data protection risk assessment;
- contracts for the entrustment of the storage of consumer information;
- Rules for the implementation of the obligations related to RODO.
In developing the documentation required by the RODO, we can ask ourselves the following questions:
- how best to communicate knowledge of data breaches to employees?
- To whom or where should I report a possible breach?
- How is the person who discovers the breach supposed to behave? Should he or she inform the owner of the company?
- what will we do about the case going forward?
- what action will we take to prevent further incidents in the future?
Documentation of personal data processing under the RODO - what needs to be prepared?
Although we will not find a specific list in the RODO regulation with the listed documents we need to prepare, it can be deduced from the regulations what kind of letters will be needed.
- personal data policy - this is where we put all the procedures related to RODO;
- data retention rules - we determine how and when we delete unnecessary consumer information;
- privacy by design and privacy by default principles - the document should explain how we ensure an adequate level of data security, as well as compliance with privacy laws;
- Authorisation procedure - refers to the persons receiving authorisations to process personal data;
- the organisational structure for data protection - who is responsible for the operation of the RODO provisions in the company and what are that person's responsibilities;
- training procedure - how the company trains its employees when it comes to the processing of personal data;
- Data Protection Impact Assessment (DPIA) - when and how we will assess data protection impacts;
- a precise description of the security measures - this document should cover all the security measures we apply to protect the data from a technical, organisational and IT point of view;
- Internal audit procedure - which persons will be responsible for the company's data protection system;
- information and education materials for employees - how we will raise the awareness of the employed team on the correct protection of personal data.
