Data Protection Best Practices
1. Ensure data protection compliance from the start!
Before collecting personal data, it is important to perform an appropriate assessment and document it.
When processing personal data, you should be able to answer at least the following questions:
Which personal data will be collected?
From whom will the personal data be obtained?
For what purposes will the personal data be processed?
How will the personal data be collected?
Will third parties be involved in the processing of the personal data?
Will the personal data be shared with third parties?
Where will the personal data be stored?
How long will the personal data be kept?
Who will have access to the personal data?
Answering these questions will allow you to organise your processing activities in a legally compliant manner, identify potential issues and take appropriate remedial measures.
This exercise should be repeated each time you start a new project involving the processing of personal data (e.g. the establishment of a new database or the acquisition of a new data collection tool).
2. Keep track of your personal data processing activities.
Ideally, you should keep a record of all data processing activities, containing the following information:
- Name and contact details of the data controller
- Purposes of the processing
- Legal basis for the processing
- Description of the (categories of) personal data being processed
- Description of the data subjects
- List of recipients of the personal data
- Details of any data transfers abroad
- Time limits for deletion of the data
- General description of the organisational and technical security measures
This may appear burdensome at first but, in the long run, you'll be happy to have this record in place. It's also important that you be able to demonstrate to potential investors that you're keeping track of this information, in light of upcoming European data protection legislation. Although certain companies will probably be exempt from this requirement (eg small companies with low-risk data processing activities), it is still highly recommended to keep such records.
4.Duly inform data subjects of the processing of their personal data.
Certain information must be provided to the data subjects. In particular, you should provide at least the following information:
- Your name and address
- Purposes of the processing
- Recipients of the personal data
- Rights of the data subjects, including the right to object to the processing of their personal data for direct marketing purposes
5. Always enter into a written agreement with any third party processing personal data on your behalf.
Data protection laws require controllers to enter into a written agreement with any third party processing personal data on their behalf. It is important to ensure that the agreement contains a section on data protection, in particular the organisational and security measures to be taken by the third party.
6. Create the right attitude towards privacy within your company.
Personal data should always be treated with care and adequately protected. Many data breaches or incidents are caused by preventable human errors and carelessness. Therefore, it is important to create the right attitude and mind-set within your organisation. For example, avoid downloading personal data to portable devices such as USB sticks, avoid printing or e-mailing documents containing personal data, restrict access rights, etc.