In part one of this two-part series, our Tampa construction lawyers have been checking items off our list of important General Data Protection Regulation (GDPR) compliance pain points. The first two items on this checklist included:
- Achieving customer consent
- Hiring a data protection officer (DPO)
Now, we will continue to review the most important things contractors should know about GDPR compliance and how they can prevent themselves from violating the data privacy rights of their customers and employees. Failure to protect others’ data could result in litigation. If this happens to you, consult a Tampa construction lawyer for guidance on what to do next.
Perform a Data Protection Impact Assessment
It’s highly advised that any company storing personal data in permanent storage conduct a data protection impact assessment (DPIA). A DPIA is a type of audit that can be used to assess whether or not your company’s data processes and procedures are suitable according to the GDPR. The goal is to unearth three important bits of information pertaining to data privacy and collection, including:
- Ensuring compliance with any pertinent legal, regulatory, and policy requirements dealing with privacy.
- Weighing the positives and negatives of your current system.
- Evaluating data protections and other processes that could potentially decrease your company’s chance of violating the GDPR.
Alerting Your Customers of a Data Breach
Even the most well-prepared businesses may experience a data breach eventually. You must always have a contingency plan for fighting back against a breach, but you must also be prepared to disclose this breach to your customers with utter transparency. You might think that hiding a breach will help you preserve customers, but trust is a more powerful bonding agent than deceit. GDPR requirements assert that businesses must notify local data protection authorities within 72 hours following the discovery of a breach. This is one of the strictest GDPR requirements, so be sure to have the necessary systems in place to not only recognize a breach, but also disseminate an alert to your customers within the required timeframe.
Respect Your Customers’ Rights
Under the GDPR, companies are encouraged to collect and store the bare minimum of personal data needed for various purposes. Known as the data “minimalization principle,” this novel concept takes a less-is-more approach to data collection. If you don’t need it, delete it and stop worrying about it. And always, always, give your customers the right to remove all traces of their data from your system. If you follow all of the items on this checklist, you’ll greatly reduce your chance of violating the GDPR.
Disclaimer: The information contained in this article is for general educational information only. This information does not constitute legal advice, is not intended to constitute legal advice, nor should it be relied upon as legal advice for your specific factual pattern or situation.