The content below is general information on EU data privacy and the GDPR, and is not an exhaustive or complete summary, nor is it legal advice for your company.
We compiled this content to serve as helpful background information on an important topic. We recommend that you consult with an attorney if you are looking for legal advice, or if you’d like help applying this information to your company’s specific situation.
The Predictive Index has published a data processing addendum to assist customers in their compliance with the GDPR.
What Clients Should Do:
The European Commission has provided a list of new obligations that companies will face under the GDPR. While not exhaustive, and geared primarily towards smaller companies, this list provides an effective starting point to thinking about your GDPR obligations:
Protect the right of people giving you their data
- Communication: Tell data subjects in plain language who you are when you request the data, why you are processing their data, how long it will be stored, and who receives it.
- Consent: Get their clear consent to process the data.
- Access and Portability: Let people access their data and give it to another company.
- Warnings: Inform people of data breaches if there is a serious risk to them.
- Erase Data: Give people the ‘right to be forgotten.’ Erase their personal data if they ask, but only if it doesn’t compromise freedom of expression or the ability to research.
- Profiling: If you use profiling to process applications for legally-binding agreements like loans, there are specific responsibilities in the GDPR that you should become familiar with.
- Marketing: Give people the right to opt out of direct marketing that uses their data.
- Safeguarding sensitive data: Use extra safeguards for information on health, race, sexual orientation, religion and political beliefs.
- Data Transfers outside of the EU: Make legal arrangements when you transfer data to countries that have not been approved by the EU authorities.
Do data protection by design
Build data protection safeguards into your products and services from the earliest stages of development.
Check if you need a data protection officer
This is not always obligatory. It depends on the type and amount of data you collect, whether processing is your main business and if you do it on a large scale.
Review GDPR-specific record keeping requirements.
Anticipate with impact assessments
Impact assessments may be required for HIGH-RISK processing.
A Few Areas PI Clients May Wish to Consider:
- Information and Consent: Are you providing adequate information about use of personal data and obtaining proper consent from your assessment-takers (“data subjects”)?
- Data Retention: Have you considered how long you may keep data?
- Data Subject Requests: Do you have a process in place to address requests from data subjects?
Please contact PI or your PI Certified Partner if you have further questions, comments or suggestions. If you wish to contact PI’s Privacy Team directly, they can be reached at firstname.lastname@example.org