Are you planning new business models and products for your company or features for your existing product?
Involve your data protection officer and data protection coordinator in time in order to work against the resulting risks if processed information affects personal data. It is irrelevant of which group of data subjects the information is collected (e.g. employees of your customers or end consumers).
The GDPR takes into account the further development and evolution of products. In particular, the terms “privacy by design” and “privacy by default” are known to challenge companies to include data protection at an early stage during the development phase and beyond.
To this end, the following points, among others, must be taken into account:
- State of the art
- Implementation costs
- Type, scope, circumstances and purposes of processing
- probability of occurrence and severity of risks associated with processing
Regularly, also suppliers who are integrated into a product and may receive data play a role.
For example, if your new product or product to be upgraded deals with the extensive collection of personal data that may lead to a risk for the data subjects, a risk analysis must be carried out. Due to the high risks for data subjects this may lead to a data protection impact assessment.
As soon as the product is developed and it is clear what processing activities take place in relation to the collection of personal data, we recommend that the relevant company documentation be adapted to comply with the basic data protection regulation. In particular, when a new product is published or put into operation, the privacy policy must be created or adapted.