F ID I N E WS There are several ways to facilitate your FAIM onsite audit. The option you choose, however, is mainly dependent on your business type, set-up and your IT infrastructure. Some country-specific requirements could also have an impact for example, your local tax regulations may state that you need to keep your customer records for a certain time, which would supersede the retention period for audit-related data. Options you could follow include: l I nform your (end) customers that you retain their personal information for three years*, as your company is subject to an external quality certification (*or any time period as needed to comply for instance, with the above tax example, or any other local regulation). This would make retention of certain personal data lawful, as it is necessary for demonstrating compliance with your external audit requirements. The lawful basis for processing would be considered a legitimate interest. lA nonymise any personal data that is, make sure the data supplied to the FCC and/or independent auditor The new regulation says that companies must not keep their customers information longer than necessary 26 FF290 pp24-27 FAIM.GDPR.indd 26 cannot directly,or indirectly, identify a person. Your move files could be identified by a unique number rather than using the name of your customer. l Use a pseudonym for personal data in your system that is, substitute identifiable data with a reversible, consistent value. l Request consent from your (end) customers. When you opt for this solution, it is imperative that you clearly indicate the reason(s) why you would retain certain types of data, and that you obtain the appropriate consent: 1. Consent must be clear and distinguishable from other matters, and supplied in an intelligible and easily accessible form, using plain language. It must be as easy to withdraw consent as it is to give it 2. Explicit consent is required only for processing sensitive personal data in this context, nothing short of opt in will suffice. However, for non-sensitive data, unambiguous consent will suffice. LAST BUT NOT LEAST It might be relevant to inform your customers that, during your FAIM audit and specifically during the assessment of your move files an independent auditor is verifying that your company meets the strict data- privacy requirements as denoted in the FAIM Quality Standard. This demonstrates to them that they made the right choice by working with a FAIM-certified quality mover. WWW. F I D I . OR G 13/03/2019 12:44