In the previous post, we explained what the main new roles introduced by GDPR are and what the impact of the new legislation is. Now, let's dive into more details.
If you process EU citizens data as part of your activity, regardless whether that processing occurs in or out of the EU, then the GDPR applies to you. Bear in mind that employee data and customer data ARE personal data. And the simple fact of storing that data is considered a processing activity.
The GDPR is not simply a ticking boxes process to avoid a big fine. It is principles driven and aim to change the way we perceive and treat personal data. There are six principles, listed below:
Personal Data: the term can be interpreted in many ways, but a good rule of thumb is if a piece of information can lead to a specific person then that information is considered personal data under the GDPR (for example a name, economic identity, physical description, cultural factors, etc.) .
Lawfulness of Processing: the article 6 of the GDPR stipulate that for you to be able to process a personal data, at least one of the following conditions must be met :
If none of the above applies, then you are not allowed to collect and process the data.
Data collector and Data processor: Controllers are at the origin of the decision to collect a specific data. The processors decide how the data is stored, processed, transferred or deleted. Both have the responsibility to protect that data.
Data breach notification: in the event of a personal data leak, it is the responsibility of the controller to notify the breach to the supervisory authority within 72 hours. But this is only if the breach is likely to result in a risk to the rights and freedoms of the data subject.
Rights of individuals: the GDPR strengthens and grants new rights to the EU citizens. You need to be able to respond to any request of a data subject wishing to exercise one or more of his rights. The most famous one is the right to be forgotten (see details in the previous blog post on GDPR), meaning that the data subject can request you to erase all information related to him. You can find these rights and their description on the articles 12 to 23 of the GDPR.
Privacy by default and design: this means that your policies and processes should protect the data from the beginning of the processing and that you should take the appropriate technical and organizational measures to ensure the security of the data during its lifecycle. Like I said, with the GDPR you will have to change your approach to personal data.
Data Protection Officer: they are data protection experts and act as the single point of contact for all data processing notifications and report to the highest level of management. Not all organization is required to appoint a DPO (you can find more information on article 29) but it is recommended to allocate one employee to deal with data protection in your organization.
The data protection authorities can apply up to €10 million, or 2% of the worldwide annual revenue of the prior financial year ( whichever is higher) for “small breaches” and for “higher breaches”, it can go up to €20 million, or 4% of the worldwide annual revenue of the prior financial year.
These are huge amounts but there is no reason to panic. Auditors will not come knocking at your door from 26th May. What you need to do is start building a strong compliance program and show good will (that should be documented!) that you are working towards becoming GDPR compliant.
It is a risk-based approach so think about training as the first line of defense. Everyone in your company should be aware of the GDPR and its impact.
Conduct a data audit so you are fully aware of all the data you are collecting and processing within your organization.
You do not have to comply with every requirement of the GDPR, it depends on the size of your company, your activity and whether you are processor or controller… Check with the regulation what requirements your company has to comply with by May 2018 and start now making a plan.
Resources and toolkits worth looking into:
Disclaimer: This blog was created by Nebu in order to provide a high-level, general understanding of GDPR, and should by no means be considered or used as a substitute for legal advice. Nebu does not accept any responsibility or liability for the accuracy, completeness, legality, or reliability of the information contained on this blog.
Pauline Besnier is a compliance officer at Minddistrict, currently focusing on GDPR. She specializes in highly regulated spheres, in banking, and in healthcare. She translates compliance requirements into an understandable language and implements business-friendly processes.
If you would like to ask an expert a GDPR related question, please submit it via the form on the right.