In today’s article we will discuss the Specific GDPR requirements applicable to the departments of any organisation and they are:-
A) Data Privacy Office
- Appointment of Data Protection Officer,Chief Privacy Officer and team
- Development and implementation of Personal Information Management System (Policies, Manual, Procedures, Templates, Records etc;)
- Data Subject Rights Management
- Incident/Breach Management
- Risk Management
- Training, Awareness & Certifications
- Understanding of the prevailing and upcoming data privacy requirements
- Internal Audits through independent auditors
- Liaison with the Data Protection/Supervisory Authorities
- Create and maintain inventory of PII/SPI and its processing details in the company
- Privacy Impact Assessment
- Cross-border personal data transfer impact assessment
B) Legal
Inclusion of applicable Data Privacy clauses (on personal data processing and cross border personal data transfer) in the agreements with Clients and Service Providers/Vendors.
C) Company Secretary’s Office
Handle Shareholder personal data as per the common requirements listed in point 2 above
D) Recruitment/HR
- Do not collect PII/SPI which are discriminatory in nature
- Do not process PII/SPI for purposes not required by employment law and staff welfare
- Do not take decisions on employees based on “automated decision making” solution
- Involve a step of manual intervention and review prior to final decision
- Policies on publishing content on social media and collaboration platforms
- Separate consents and compliance with other DP procedures for processing PII/SPI of employee’s spouse and children
- Ensure anonymity in collection/processing of diversity related data
E) Finance (Payroll, Tax, Claims Reimbursements, etc;)
Ensure high degree of accuracy while collection and processing of PII/SPI
Abbreviations-
- PII– Personally Identifiable Information
- SPI– Sensitive Personal Information
Picture credit- https://kinsta.com