Pitfalls GDPR
The main mistake in introducing GDPR is to rely on the strength and resources of only one person. A common practice is to expect a lawyer to work independently on the Regulations. In such a situation, if he does not have a sufficiently serious weight in the organization and cannot convince his colleagues of the need for overall coordinated work, then everything will be reduced to the preparation of useless document templates that will not protect the company.
Even worse, if it is not even a lawyer. Having given the GDPR-questions to a copywriter or a marketer, you can get a sample privacy policy (privacy policy) on your site. You remember why this is bad ? In such a policy, your users will not see why you took their phone numbers when subscribing to an email newsletter. And then they will be surprised to receive a call with the offer of a product or service. The bottom line: a double complaint for direct marketing and privacy policy.
Moral: meeting the requirements of the GDPR is a team work. Compliance department, lawyers, information security department or IT infrastructure, marketing and sales, HR department (if there are employees in the European Union), production and functional departments - dream team when implementing the Regulation.
')
Narrow focusing on innovations to the detriment of the consideration of the GDPR as a whole is a common mistake. Starting to draw up a privacy policy or to sign out consent to the processing of personal data, companies often forget about the rules that have existed for decades. The rules that migrated from the old Directive 95/46 / EC to the GDPR. If you have read only brief overview publications on the innovations of the GDPR, then you most likely do not know about such rules. Meanwhile, the GDPR does not cancel the Directive's rules, which is directly stated in the 94th article and the 171st preamble. Fines for failing to comply with certain rules are equally great.
And do it all over the place. The GDPR has transferred personal data protection from checklist rails to risk assessment. Based on risk analysis, you need to independently develop documents and determine what measures should be taken. At the same time, the Regulation does not indicate the result to which the risk assessment will lead you. There is a possibility that successful and effective measures in one company will be irrelevant to another. Only on the basis of the level of risks and the characteristics of a specific threat can you choose measures for your company.
For example, for your company, the risk of transferring a personal database to a competitor by a bribed employee is not relevant. At the same time, it is likely that the contracting company processing the data will allow a violation with negative consequences in relation to those who have entrusted this data. Your task is to track the implementation of GDPR by contractors that you involved in the processing of personal data. About this you could not hear from a friend from another company (well, that can be heard from us).
GDPR does not realize alone
Even worse, if it is not even a lawyer. Having given the GDPR-questions to a copywriter or a marketer, you can get a sample privacy policy (privacy policy) on your site. You remember why this is bad ? In such a policy, your users will not see why you took their phone numbers when subscribing to an email newsletter. And then they will be surprised to receive a call with the offer of a product or service. The bottom line: a double complaint for direct marketing and privacy policy.
Moral: meeting the requirements of the GDPR is a team work. Compliance department, lawyers, information security department or IT infrastructure, marketing and sales, HR department (if there are employees in the European Union), production and functional departments - dream team when implementing the Regulation.
')
Study complex requirements
Narrow focusing on innovations to the detriment of the consideration of the GDPR as a whole is a common mistake. Starting to draw up a privacy policy or to sign out consent to the processing of personal data, companies often forget about the rules that have existed for decades. The rules that migrated from the old Directive 95/46 / EC to the GDPR. If you have read only brief overview publications on the innovations of the GDPR, then you most likely do not know about such rules. Meanwhile, the GDPR does not cancel the Directive's rules, which is directly stated in the 94th article and the 171st preamble. Fines for failing to comply with certain rules are equally great.
Assess risks
And do it all over the place. The GDPR has transferred personal data protection from checklist rails to risk assessment. Based on risk analysis, you need to independently develop documents and determine what measures should be taken. At the same time, the Regulation does not indicate the result to which the risk assessment will lead you. There is a possibility that successful and effective measures in one company will be irrelevant to another. Only on the basis of the level of risks and the characteristics of a specific threat can you choose measures for your company.
For example, for your company, the risk of transferring a personal database to a competitor by a bribed employee is not relevant. At the same time, it is likely that the contracting company processing the data will allow a violation with negative consequences in relation to those who have entrusted this data. Your task is to track the implementation of GDPR by contractors that you involved in the processing of personal data. About this you could not hear from a friend from another company (well, that can be heard from us).
Source: https://habr.com/ru/post/458098/
All Articles