12 steps to comply with the GDPR | How to create the best shopping experience for your customers

When using Indivd X, there are always two parties, a person responsible for personal data and a personal data assistant. The personal data controller is the one who decides the purpose of processing and how the processing is to take place. The personal data processor is the person who processes personal data on behalf of the controller.

When Indivd AB works with its customers, the organization who has the cameras and a need to use Indivd X is the personal data controller while Indivd AB is the personal data processor.

This means that the controller gives Indivd AB an assignment to process / anonymize the image data. That assignment is secured with a personal data agreement. In addition to this treatment, which is itself reviewed and approved by the Swedish Data Protection Authorities during a prior consultation, the controller has more obligations. Collecting personal data is about following the law, but it is also about a person giving their trust to the organization. That’s why it’s important that the collection of personal data is done in a legal, safe and secure manner. Therefore, we recommend everyone to follow the GDPR, to be transparent in the processing of personal data, keep the information clear, simple and to use experts in case of uncertainty.

This article is a simplified guide on what an organization needs to do to comply with the GDPR. If you feel insecure and need help, we recommend that you consult an external expert. We work with Baker McKenzie and can highly recommend their lawyers.

OBLIGATIONS FOR EVERY ORGANIZATION

1. The controller shall implement appropriate technical and organisational measures. Some examples of this is a Privacy Policy, make sure that you can answer questions regarding data protection and educate your employees in GDPR.

2. Check if you need to assign a Data Protection Officer.

3. Create a record of all your processing. That it includes its purposes, categories, recipients, lawful basis, security measures, rules for data retention, etc.

4. You need to introduce routines and processes for deleting personal data, this is because you’re not allowed to store all personal data forever. Keep in mind that different types of personal data and different processing have different requirements and standards. You should also have routines in case someone asks for an extract from the register.

5. You need to protect the personal data that you store. Consider introducing IT- and Information Security Policies, since your own staff and their routines are probably one of the big security risks.

6. You need to have routines for dealing with incidents. Consider creating a policy to be able to act quickly if something happens.

7. You must conduct a data processing impact assessment if your planned processing is likely to lead to a high risk to the rights and freedoms of natural persons. If you do not have the necessary skills to do it yourselves, turn to an expert.

8. You must inform all registrants about every processing you do.

9. You must sign a data processing agreement if you give another organization an assignment to process personal data on your behalf.

10. You should ensure that your existing agreements comply with the GDPR.

11. If you use personal consent to collect personal data, you need to ensure that it complies with the GDPR and that it is documented.

12. You need to create and post a Privacy Policy and a Cookie Policy on your website.