Privacy remains a hot topic. Are there any boundaries to our privacy in an era where social media rules? How should we handle the personal data provided by employees, customers or suppliers? Can we freely ask our customers to provide their data for marketing purposes? Are your employees entitled to request your HR department for a deletion of some personal data?
The new General Data Protection Regulation (GDPR) answers all of these questions.
GDPR, which will come directly into effect in all EU member states on May 25, 2018 and obliges companies to safeguard the privacy of data subjects.
As the new regulation will affect all organizations that handle personal data, we need to ask ourselves why this regulation is so important and how companies can get properly prepared for it. It will be key to prepare sufficiently since GDPR introduces high sanctions for non-compliance, including revenue based fines of up to 4% of annual worldwide turnover or €20 million in cash, whichever is higher.
Which substantial changes are coming our way?
Keep a detailed record of all processing activities
Companies will have to keep records of personal data processing (under article 30, GDPR). Such records state what types of data are recorded, with whom this is shared and which safety precautions have been taken to protect this data.
Accountability and transparency are key
GDPR requires companies to demonstrate more transparency and to respect the increased rights of data subjects such as the right to be forgotten, the right to data portability, the right to rectify, the right to object and the right to restriction of processing.
Consequently, policies, contracts and supply chains will need to be reviewed and realigned as much as possible, in order to be in accordance with the GDPR before it comes into effect.
Data Protection Officers
The GDPR obliges private companies whose core activities consist of processing operations that require regular, large-scale and systematic monitoring of data subjects to appoint a ‘Data Protection Officer (DPO)’.
Article 39(1)(b) of the GDPR entrusts DPOs, among other duties, with the duty to monitor compliance with the GDPR. Recital 97 further specifies that the DPO ‘should assist the controller or the processor to monitor internal compliance with this Regulation.
If you process data on a small scale, it is still key that HR, IT, Risk and Legal are well aware of the new regulation in order to secure the internal data flows and data processing activities so that they follow the GDPR requirements.
Data breach notification
One of the most significant changes that is introduced by GDPR is the requirement to notify data breaches to supervisory authorities and the affected individual no later than 72 hours after discovering it.
Compliance must be demonstrated, let's embrace it!
As with so much of GDPR, being able to demonstrate that the appropriate measures were undertaken will be key. That’s why GDPR compliance can be considered an ongoing process that will require the support of a multidisciplinary team (in-house or via consultancy).
Author: Florence Leterme.
Preparing for GDPR made easier: watch our webinar
You can follow Florence on Twitter
or connect with her on LinkedIn