Minden ami a GDPR-el kapcsolatos…

A GDPR  szabályozás hatálya alá eső adataink:

  • hírlevélküldéshez dedikált email cím adatbázis,
  • műszerpiac-on megadott személyes adatok
  • Google analytics által gyűjtött adatok

—————–

1. Update your privacy policy

  1. Include a GDPR compliance line
  2. Specify what information you collect and store from website visitors. ( e.g.  ip addresses, device information, access information, cookies, visit duration and tracking, mouse and swipe actions, email, phone, name, address and billing addresses )
  3. Specify how and where you process the personal information. ( accounting, marketing, UX research, sales reporting etc.)
  4. Specify who you has access to this personal data. (E.G. you, mailchimp, google, salesforce etc )
  5. Specify the contact details of the assigned Data Protection Officer in your organisation
  6. Specify how to lodge a data subject access request.
  7. Specify how long you hold personal information.

2. Remove all automatic opt-ins on your site. 

All check boxes must be empty in online forms. An empty box cannot imply acceptance.

3. Collect only information you require to run your business. 

4. All data breaches need to be recorded and actioned with a preventative measure within 72 hours. 

Examples of data breaches.

  1. Personal information being passed or coming into the possession of an unauthorised data processor or subprocessor.
  2. Passing of personal data to into a non GDPR compliant country.
  3. Passing of personal data to a third party without the knowledge of the data subject.
  4. Personal information leaked as a result of a hack on a website.

5. Have a data breach process and plan in place.

Have an action plan in place and run worst case scenarios to test your plan.

6. Have a process in place for when someone is looking for a copy of their data. ( Subject Data Access Requests ) 

  1. Verify their identity
  2. Make sure you have the data before processing the request, if you do not have the data respond and say “I dont have the data” .
  3. Do not create more personal data while performing the request
  4. Process the request
  5. Record it in you data audit log
  6. Do not reveal other peoples personal data. I.E. in ecommerce shipping names where the name is not the name of the requester.
  7. Do it within 20 days.

7. Right to be forgotten requests how to handle these

  1. Verify their identity
  2. Make sure you have the data before processing the request, if you do not have the data respond and say “I dont have the data” .
  3. Do not create more personal data while performing the request
  4. Remove and or redact the personal information stored. Remove it from all systems and marketing suites.
  5. Record it in you data audit log
  6. Do it within 20 days.

8. Withdrawal of permission to process personal data after an ecommerce transaction

Not relevant for Muszeroldal.

9. Request for personal data in a portable transferable format.

  1. Verify their identity
  2. Make sure you have the data before processing the request, if you do not have the data respond and say “I dont have the data” .
  3. Send the personal data in a readable csv format
  4. Record it in you data audit log

10. Update your contracts, NDA’s and Privacy policies on your website.

All staff need to have signed NDA’s and data protection awareness training.  A good rule of thumb is to include all staff even if they do not have direct access to personal information in the normal course of their duties.

All customer contracts have to be updated with a GDPR clause.

11. Have a Data Breach Plan.

When a data breach occurs you must within 72 hours.

  1. Investigate the breach and locate its source
  2. Put in place actions to prevent it from happening again
  3. Report the scope of the breach to affected all data subject
  4. Notify the Data Commissioner of the breach including
    1. The scope of the breach
    2. Number of affected subjects
    3. The source of the breach
    4. The measures taken to prevent and stop the breach from happening again

12. Assign Data Protection Officer

Appoint a staff member to look after Data Protection.   “Adatvédelmi Tisztviselő”