What is GDPR?
GDPR, or General Data Protection Regulation, is the buzzword in 2018. The new regulation was enforced on May 25th 2018 and it will change the way personal data is being collected, stored, processed and kept for everyone in the European Union. Now every business is bound by law to protect the personal data collected from users and employees, and take actions in accordance with the regulation.
What does this mean for users?
Here is an overview of the key user (or data subject) rights:
Right to access – the data subject has the right to know how their personal data is being used and for what purposes.
Right to a correction – the data subject has the right to request from the company to change the incorrect data or fill in incomplete data by filing a statement.
Right to limit processing – in certain situations when data accuracy is questionable, a user has a right to request a limitation in the processing.
Right to data portability – the data subject has a right to obtain their data in a commonly used and machine readable format to be transferred to another service provider.
Right to an objection – a data subject has a right to object to their data being used for purposes such as profiling.
Right to be forgotten - it grants individuals a right to demand from the businesses to erase all of their personal data for which the data subject does not need to state explicit reasons. This means that companies only get to keep the data they truly require to be able to provide their service.
What does this mean for companies?
Processing personal data will have to be in accordance with the regulation and collected only for specific and clearly stated purposes. For instance, if a company wants to collect data for direct marketing, their purpose has to be transparent and the users need to be informed.
Regardless of the location of the company’s headquarters, if the company collects personal data for people residing in the European Union, then GDPR applies to the company. Previously, territorial applicability of the directive was ambiguous, but the new regulation applies to all companies processing personal data for European Union’s citizens.
What are the fines?
There are 2 types of penalty scenarios. An organization can be fined up to 4% of the annual global turnover or €20 million (whichever is greater) if e.g. the customer consent was not sufficient or violated the core of Privacy by Design concepts. The other type of penalty is a fine of 20% of the income on the global scale or up to € 10 million if the company did not have their records in order, is not notifying the supervising authority and data subjects about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors, which means that ‘clouds’ are not exempt from GDPR enforcement.
What should managers do?
We suggest that you take the following steps for a smooth transition:
- Make sure that the right people from your company are fully informed about the new regulation.
- You should know what personal data you have already collected and from what sources. By personal data, we mean all data from your employees, interns, clients, users, donors etc.
- Make sure that your privacy notes are clear and easy to understand.
- Examine all your processes and make sure they comply with the individuals’ new rights.
- Make sure you are able to detect, investigate and report a personal data breach.
- Simulate having a user, who demands having his data erased and test whether you can retrieve and delete the data fast.
- Consult the people in your legal department when creating future consent forms for personal data use. Tick boxes and tacit agreements fall short of the new requirements.
- Create extra protection for children, as children under certain ages cannot give consent.
- Appoint a data protection officer who will be responsible for data protection in your company.