The EU GDPR aims to harmonize data privacy laws across Europe and to give people control over their personal data. Yet, what is personal data? GDPR enlarges the definition to encompass any information that could identify – directly or indirectly – an individual in any format or medium: from names, phone numbers and addresses through to digital identifiers such as IP addresses, cookie IDs, digital fingerprints and user IDs.
In line with the GDPR, each organization must maintain a record with information of all activities processing personal data. More than personal data of customers, this also implies data of employees and third parties such as suppliers.
The legislation applies to all companies established in the EU, but it will also affect companies outside the EU if they:
If organizations want to process personal data, there are six legal grounds to do so: legitimate interest, consent, legal obligation, public interest, vital interest and contractual obligations.
‘Data subjects’, or those whose personal data is being processed, have the right to be informed that a company processes their data, the right to access it, the right to rectification, the right to erasure (i.e. the ‘right to be forgotten’), the right to restrict processing, the right to data portability, the right to object and the right to not be subject to automated decision-making, including profiling.
Quite challenging! How will you for example respond to the ‘Right to be forgotten’? You will have to ensure you have procedures to delete personal data because a customer for example doesn’t want to receive any mailings anymore. How will you guarantee you will never send a mailing to this person if you cannot keep personal data of the people who asked you to be forgotten?
The enforcement of individuals’ rights goes hand-in-hand with obligations for companies and organizations, including possible high fines. Companies and organizations must:
GDPR compliance, however, cannot simply be handled by legal or IT, as the regulation concerns much more than just contracts, databases and IT security. Even if all your contracts are compliant with article 28 of the GDPR, you’ve installed all needed processes and supported them with the needed tools or system adaptations, you risk noncompliance if the employees who handle personal data don’t change behaviors. In other words, awareness and trained employees are crucial for compliance.
So, make sure to take change management actions, including:
To underline the importance of the GDPR and incite organizations to protect personal data, the EU can impose fines in case of non-compliancy. Of course, as the GDPR and its supporting structures are still in development, it seems fines will not be directly issued. However, ensure that your organization has a plan in place by 25 May, and be able to demonstrate your progress. Of course, the basic GDPR priorities must be initiated before 25 May.
If you think chances are small of getting fines, are there still any risks? One slip could give all your customers and employees the idea that their personal data is not carefully treated. If your customers lose trust in you, they could stop doing business with you.
Let’s go one step further. Can you imagine an unsatisfied customer or employee who will misuse the GDPR to make your life difficult? Can they possibly damage your company? It is far more difficult to restore a damaged image than to (re)build one.
Will you take these risks?