Is your company ready for GDPR?
Is your company prepared for the GDPR?
The GDPR is changing a number of rules, but it is not bringing about a personal data protection revolution
The GDPR regulates a number of aspects in the European protection of privacy and is introducing some novelties; however, most existing principles remain unchanged. Thus, the situation is not becoming very different for organizations that comply with requirements of the current legislation.
The GDPR was passed in 2016 (but takes effect on 25 May 2018) with an aim to strengthen the position of citizens when their personal data are handled. Thus, the regulation applies to all of those who process personal data in any manner - providers of services, e-shops, employers, regardless of their legal form.
The GDPR is often considered a “revolutionary regulation” or a “bugbear”, which is especially caused by the fact that the astronomical penalties of up to 20 million Euros or 4% of the global annual turnover have been publicized. Of course, it is not recommendable to underestimate the GDPR, but it should not be considered a revolution, either. After all, the regulation represents an opportunity, too - it sets the same rules of game across Europe and can become your communication benefit towards customers.
*The General Data Protection Regulation, Regulation (EU) of the European Parliament and the Council 2016/679
What crucial novelties is the GDPR bringing?
Global effectThe GDPR applies to all entrepreneurs regardless of their legal form who do business within the European Union or who provide their services or products to the European Union and process personal data during those activities. Therefore, a number of overseas companies that have escaped European regulations so far must adapt themselves to the requirements of the GDPR now. This applies to many companies including the giant ones, such as Google or Facebook.
How does the GDPR deal with big services and advertising networks?
A stronger position of consumersThe GDPR originated with an aim to better protect the privacy of citizens (data entities), and therefore it is giving them some new rights. The data administrator is obliged to transparently inform them of the scope and purpose of the data processing and comply with the data entities’ rights if they ask for it. Those rights include, for example, a right to access, a right to deletion (“the right to being forgotten”) or a right to not being a subject of an automated decision-making process.
How to prepare for the consumers’ rights?
Personal Data Protection Commissioner
Organizations that systematically monitor data entities or process sensitive personal data in an extensive manner are obliged to establish a post of Personal Data Protection Commissioner. The Commissioner is assigned to check compliance of personal data handling with the GDPR requirements, provide internal consultation, train the staff and ensure contact with government bodies.
Do I need to have a Commissioner in my company?
Stricter rules of consent
Consent, one of six legal bases for data processing, is more difficult to get and rely on with the GDPR - consent must be free and explicitly expressed. The well-established methods, such as a pre-ticked field, bar “By using the website you give your consent to...” and so on are not valid methods of getting consent according to the GDPR. In addition, the data entity can cancel the consent at any time. Thus, consent as a legal basis should be the last option to be used when any other legal title for data processing cannot be applied.
How to get new consents and what to do with the existing ones?
Data handling principles
The regulation defines six legal bases determining how to process personal data - every piece of personal data must be supported by one of those basis at least, otherwise processing of the piece of data is illegal. Data cannot be processed endlessly, but only for the period of duration of the purpose for which they were obtained; afterwards, they must be deleted or made anonymous. The systems in which personal data are handled must provide an adequate level of security. Processing itself should be supported by documentation - in case of an official inspection, but also as a manual if the data entity requests its rights.
How to put data in order and document everything?
What must our company do to comply with the GDPR?
Step 1: Mapping of data and data flows
The first step to ensure compliance with the GDPR is mapping of data in your company. Together with the owners of the individual data agendas (HR, marketing, etc.) it is necessary to make a list of the individual data items they work with and complete them with their origin, place and time of their saving, the legal basis for their processing, and other information.
Step 2: Setting of shared rules
After all data in the organization have been mapped and documented, it is necessary to create a control classifier determining uniform rules across all systems. The classifier says, for example, the you process an e-mail address in six different contexts on the basis of three legal titles. This tool will be your guide when a data entity asks for his/her rights as well as documentation in case of an inspection by the Office for Personal Data Protection.
Step 3: Regulation of internal processes
Internal guidelines are an ideal tool for documentation of the processes when fulfilling the data entities’ rights and working with personal data in general. You can consult the guideline when a data entity asks you, for example, for his/her right to deletion. Thanks to the guideline you will know that first you must carry out identification and assess the requirement. And also that not all data must necessarily be deleted.
Step 4: Changes in technology
An overwhelming majority of standard tools and services declare their preparedness for general requirements of the GDPR and entities’ rights. As an organization, you will deal with entities’ rights across various systems and services; therefore, partial automation of those operations is possible.
And what about services that you developed on your own? They must be prepared for the GDPR, too.